Multi-factor authentication (MFA)
Multi-factor authentication adds a second factor to your account. When enabled, you need both your password and a time-based code from an authenticator app to sign in.
Why enable MFA
CRA compliance requires strong access controls for sensitive data. MFA reduces the risk of account compromise, even if your password is exposed.
Enterprise security policies often mandate MFA for all users accessing compliance data. Enabling MFA now prepares you for these requirements.
Prerequisites
Before you begin, install an authenticator app on your mobile device:
| App | Platforms |
|---|---|
| Google Authenticator | iOS, Android |
| Microsoft Authenticator | iOS, Android |
| Authy | iOS, Android, Desktop |
| 1Password | iOS, Android, macOS, Windows |
Any TOTP-compatible app will work.
Set up MFA
- Navigate to Settings → Security.
- Click Enable MFA.
- A QR code appears on screen.
Scan the QR code
Open your authenticator app and scan the QR code displayed.
Tip: If you cannot scan the code, click Show manual setup to reveal a text code you can type into your app.
Verify your code
Enter the six-digit code from your authenticator app. The code changes every 30 seconds.
Note: TOTP codes are time-sensitive. If verification fails, ensure your device's clock is accurate and synced automatically.
Save your backup codes
After verification, you receive ten backup codes. Each code can be used once if you lose access to your authenticator app.
Warning: This is the only time you will see these codes. Copy them now and store them securely, in a password manager or printed in a safe location. If you lose both your authenticator and backup codes, only an administrator can restore access.
Sign in with MFA
- Enter your email and password as usual.
- On the MFA verification screen, open your authenticator app.
- Enter the current six-digit code.
The code is case-insensitive and spaces do not matter.
If you do not have your authenticator app, click Use backup code and enter one of your saved codes.
Manage MFA settings
Navigate to Settings → Security to view your MFA status, including when it was activated and how many backup codes remain.
Regenerate backup codes
If you have used several codes or suspect they are compromised:
- Go to Settings → Security.
- Click Regenerate backup codes.
- Store the new codes securely.
This invalidates all previous backup codes.
Disable MFA
- Go to Settings → Security.
- Click Disable MFA.
- Enter a code from your authenticator app to confirm.
Caution: Only disable MFA if necessary (e.g., switching devices). Re-enable it immediately afterward.
Organisation MFA requirements
Administrators can require MFA for all organisation members. When MFA is required:
- New users must set up MFA before accessing the application
- Existing users see a mandatory setup screen at their next login
- Users cannot disable MFA themselves
Look for the MFA Required badge on the Security settings page.
Troubleshooting
Code not working
| Symptom | Solution |
|---|---|
| Code rejected | Wait for a new code (they change every 30 seconds) |
| Codes consistently fail | Check device clock is accurate and auto-syncing |
| Still failing | Remove the account from your authenticator and set up MFA again |
Lost authenticator app
Use a backup code to sign in. If you have no backup codes, contact your organisation administrator. They can reset your MFA from the Members page.
Lost both authenticator and backup codes
Only an organisation administrator or owner can restore access. They must verify your identity through another channel before resetting your MFA.
Security best practices
| Practice | Why it matters |
|---|---|
| Use a separate device | If your laptop is compromised, your phone still protects your account |
| Back up your authenticator | Apps like Authy offer encrypted cloud backups for device transfers |
| Store backup codes securely | Use a password manager or physical safe. Never an unencrypted file |
| Never share codes | Legitimate support will never ask for MFA codes |
Related documentation
- Organisation settings: configure MFA requirements
- Team management: manage member access
- Roles and permissions: understand access levels
Help us improve. What was missing or unclear?