Skip to content

Two-factor authentication

Two-factor authentication adds a second check beyond your password: a time-based one-time code (TOTP) from an authenticator app. Even if your password is ever compromised, a sign-in attempt still needs the code from your device.

When you enable it, GrowthOS shows a QR code to scan with an authenticator app and generates a set of one-time backup codes. The backup codes exist for the case where you lose access to your authenticator device; each one works exactly once.

This is a personal security setting, tied to your account rather than any single workspace, so enabling it protects your access across every organization you belong to.

  • Enable TOTP two-factor authentication with an authenticator app.
  • Generate and download backup codes for device-loss scenarios.
  • Verify a login challenge with a code when signing in from a new device.
  • Disable and re-enable two-factor authentication if you change authenticator apps.
  • Hardening your personal account security, ideally during first login.
  • Before traveling or using new devices where account security matters more.
  • Immediately after any suspicion that your password may have leaked.
  • A signed-in member account.
  • An authenticator app installed on your phone (for example Google Authenticator or Authy).
  • Account menu → Security → Two-factor authentication
  • Direct route: /settings/security/2fa
  1. Open /settings/security/2fa.
  2. Start the setup flow and scan the QR code with your authenticator app.
  3. Enter the generated code to confirm the app is linked correctly.
  4. Save the backup codes somewhere secure, outside the app.
  5. Sign out and sign back in to confirm the challenge works as expected.
  6. Revisit this page if you switch authenticator apps or lose your device.
  • Two-factor authentication shows as enabled on this page.
  • You have backup codes stored somewhere safe outside the app.
  • Signing in from a new device correctly prompts for a code.
  • Store backup codes offline immediately after enabling; do not rely on memory.
  • Use an authenticator app rather than SMS where possible, since SMS is easier to intercept.
  • Re-generate backup codes if you ever suspect they were exposed.
  • Enabling two-factor authentication without saving backup codes, then losing access when the phone is lost.
  • Assuming two-factor authentication is workspace-specific; it protects your whole account.
  • Postponing setup indefinitely instead of doing it during first login when it is top of mind.