Account security: MFA and recovery codes
Two-factor authentication (2FA) adds a second step to your sign-in: after your password, you enter a 6-digit code from an authenticator app on your phone. Recovery codes are your backup if you lose that phone. Set this up if your account can see anything you would not want exposed by a stolen password, which in a compliance workspace is everything.
2FA is per user. Enabling it protects your own sign-in only, not the whole organization.
Before you start
- The 2FA controls live in Settings > Security, and the Settings area is only visible to org admins. If you are not an admin, ask your admin about access.
- Install an authenticator app on your phone first: Google Authenticator, 1Password, Authy, or any app that supports time-based (TOTP) codes.
- Have a password manager or another safe place ready for your recovery codes.
Enable two-factor authentication
- Open Settings in the side nav, then pick the Security tab.
- In the Two-factor authentication card, click Enable 2FA.
- A dialog titled "Enable two-factor authentication" opens. It shows two values:
- Setup key (secret): type or paste this into your authenticator app as a new time-based (TOTP) entry.
- otpauth link: paste this into an app that accepts otpauth links instead.
- Your authenticator app now shows a 6-digit code for CompStack that changes every 30 seconds.
- Enter that code in the 6-digit code field and click Verify & enable.
- On success you see "Two-factor authentication enabled." and the card shows a green Enabled tag with a row like "Authenticator app, TOTP, added 2026-07-09".
If you close the dialog with Cancel before verifying, the half-finished setup is discarded and 2FA stays off.
Save your recovery codes
Right after enrollment succeeds, a dialog titled Save your recovery codes appears with 8 codes in the format XXXX-XXXX-XXXX.
- Click Copy all and paste the codes into your password manager, or write them down.
- Click I saved them to close the dialog.
Important facts about these codes:
- They are shown once. CompStack stores only hashes, so nobody can show them to you again.
- Each code works once.
- Using a recovery code at sign-in disables 2FA on your account (see below).
If you lose the codes but still have your authenticator, click Regenerate recovery codes in the Security tab. Confirm the "Regenerate recovery codes?" dialog. Your old codes stop working and a new set of 8 is shown once.
Sign in with 2FA
- Go to the sign-in page and enter your email and password as usual.
- You land on the Two-factor authentication page (
/mfa-challenge). You cannot skip this page; deep links are pinned here until you verify. - Enter the 6-digit code from your authenticator app in the Verification code field.
- Click Verify. On success you continue to the Dashboard.
If you are on the wrong account, use the "Sign out and use a different account" link at the bottom.
Sign in with a recovery code (lost phone)
- On the Two-factor authentication page, click Use a recovery code. This link only appears if you still have unused codes.
- Enter one of your saved codes in the Recovery code field (dashes and case do not matter).
- Click Use recovery code.
- A dialog confirms: your code was accepted and two-factor authentication has been turned off for your account. Your remaining recovery codes no longer work either.
- Click Continue to reach the Dashboard.
- Go to Settings > Security and enable 2FA again with your new device as soon as you can.
This is by design: a recovery code cannot stand in for an authenticator long-term, so redeeming one resets 2FA instead. Treat recovery sign-in as a one-time escape hatch, not a routine.
Disable two-factor authentication
- Go to Settings > Security.
- In the Two-factor authentication card, click Disable 2FA.
- Confirm the "Disable two-factor authentication?" dialog by clicking Disable 2FA.
- You see "Two-factor authentication disabled." Your recovery codes are deleted at the same time. You can re-enable 2FA at any time.
Try it
- Open Settings > Security. Expected: a Two-factor authentication card with an Enable 2FA button, and an audit log below it.
- Click Enable 2FA and add the setup key to your authenticator app. Expected: the app shows a 6-digit code that changes every 30 seconds.
- Enter a wrong code and click Verify & enable. Expected: error "Invalid or expired code. Please try again."
- Enter the correct code. Expected: "Two-factor authentication enabled." followed by the Save your recovery codes dialog with 8 codes.
- Click Copy all. Expected: "Recovery codes copied." and the codes are on your clipboard.
- Sign out and sign back in. Expected: after your password you land on the Two-factor authentication page and must enter a code before reaching the Dashboard.
- On the challenge page, click Use a recovery code and enter one saved code. Expected: a dialog says 2FA has been turned off, then you continue to the Dashboard.
- Return to Settings > Security. Expected: the card shows Enable 2FA again, because the recovery sign-in reset 2FA.
- Re-enroll, then click Regenerate recovery codes and confirm. Expected: a fresh set of 8 codes is shown once.
If something goes wrong
- "Enter the 6-digit code from your app.": the code must be exactly 6 digits. Spaces are fine (they are stripped), but letters and shorter codes are rejected.
- "Invalid or expired code. Please try again.": TOTP codes expire quickly. Wait for the app to show a fresh code and enter it right away. Also check your phone's clock is set automatically; a skewed clock breaks TOTP.
- "Enter one of your 12-character recovery codes (like ABCD-EFGH-JKMN).": recovery codes are 12 characters in three groups. The alphabet never contains 0, 1, I, L, O, or U, so if you wrote down one of those characters, re-read your note.
- "That recovery code is not valid or has already been used.": each code is single use, and regenerating or disabling 2FA burns all old codes. Try another saved code, or contact your admin if none work.
- The "Use a recovery code" link is missing: you have no unused recovery codes on file. You cannot recover this way; you need your authenticator app.
- Stuck on the challenge page with no way in: click "Sign out and use a different account", or ask an admin for help. The page cannot be bypassed by typing another URL.
- "Could not generate recovery codes" right after enrollment: the codes failed to save. Click Regenerate recovery codes in Settings > Security to mint a set.
Related pages: Admin and onboarding, Org data export and inviting members.
← Back to CompStack