Skip to main content
SStandShare

Secure your account with two-factor authentication

All roles
Roles

All roles

Multi-factor authentication (MFA) adds a second layer of security to your account. After you enable MFA, signing in requires both your password and a time-based one-time code from an authenticator app (such as Google Authenticator, Authy, or Microsoft Authenticator).

info

Platform Admins (StandShare staff) are required to have MFA enabled in production and cannot disable it.

Enable MFA

  1. Sign in to StandShare.
  2. Open your account menu (your name or avatar in the top-right corner) and click Settings.
  3. Select the Security tab.
  4. Under Multi-Factor Authentication, click Enable MFA.
  5. A QR code is displayed.
  6. Open your authenticator app and scan the QR code. Alternatively, click Show setup key to copy the text key and enter it manually in your app.
  7. Your authenticator app generates a 6-digit code that refreshes every 30 seconds.
  8. In StandShare, enter the current 6-digit code in the Verification Code field.
  9. Click Verify and Enable.

MFA is now active on your account. Every subsequent sign-in will prompt you for a verification code after your password.

tip

If you need to set up MFA on a second device, scan the same QR code from another authenticator app before clicking Verify and Enable. After setup is complete, both apps will generate valid codes.

Save your recovery codes

Immediately after enabling MFA, StandShare displays 10 one-time recovery codes. These codes let you access your account if you ever lose access to your authenticator app.

  1. After enabling MFA, the Recovery Codes screen appears automatically.
  2. Click Copy all codes or Download codes to save them.
  3. Store the codes somewhere secure — a password manager, a printed sheet in a safe, or another offline location.
  4. Click I have saved my codes to dismiss the screen.

Each recovery code can only be used once. After it is used, it is permanently invalidated.

StandShare warns you when fewer than 5 of your 10 codes remain. When you see that warning, regenerate your codes.

warning

If you lose both your authenticator app and your recovery codes, you will not be able to sign in. Contact your organization administrator to request account recovery.

Sign in using a recovery code

If you cannot access your authenticator app:

  1. On the MFA prompt during sign-in, click Use a recovery code instead.
  2. Enter one of your saved recovery codes.
  3. Click Verify.

You are signed in. The code you used is now invalidated. Consider regenerating your recovery codes after regaining access — see below.

Regenerate recovery codes

If you have used several codes or believe your codes may be compromised:

  1. Go to Settings > Security.
  2. Under Multi-Factor Authentication, click Manage MFA.
  3. Click Regenerate Recovery Codes.
  4. Enter your current 6-digit authenticator code to confirm.
  5. Your previous recovery codes are immediately invalidated.
  6. Save the new set of 10 codes in a secure location.

Account lockout after failed attempts

After 5 consecutive failed MFA code entries, your account is locked for 30 minutes. During the lockout period:

  • You cannot sign in using a TOTP code.
  • You can sign in using a recovery code.
  • The lockout clears automatically after 30 minutes.

If you are locked out and do not have recovery codes, contact your organization administrator.

Manage trusted devices

Trusted devices let you skip the MFA prompt on devices you use regularly.

Mark a device as trusted

  1. When prompted for an MFA code during sign-in, check the box Trust this device for 30 days.
  2. Complete the MFA verification as normal.

The device is now trusted. For the next 30 days, sign-in from this browser on this device will not require an MFA code.

note

Trusted device status is tied to the browser and device. Clearing browser cookies or signing in from a different browser on the same computer will require MFA again.

View and remove trusted devices

  1. Go to Settings > Security.
  2. Under Trusted Devices, you will see a list of currently trusted devices including the device name and expiry date.
  3. Click Remove next to any device to revoke its trusted status immediately.

Disable MFA

warning

Disabling MFA reduces the security of your account. Only disable it if you are switching authenticator apps or decommissioning a device. Platform Admins cannot disable MFA in production.

  1. Go to Settings > Security.
  2. Under Multi-Factor Authentication, click Manage MFA.
  3. Click Disable MFA.
  4. Enter your current password to confirm.
  5. Click Confirm Disable.

MFA is now turned off. Your recovery codes and trusted devices are also cleared. You can re-enable MFA at any time.

Step-up authentication vs. MFA

MFA protects your sign-in. Step-up authentication is a separate prompt that appears when you attempt a sensitive action — like approving a scholarship payment or changing someone's role — even after you are already signed in.

Step-up authentication asks you to re-verify your identity (via social sign-in or magic link) to confirm that you, and not someone with an unlocked device, are taking the action. See Security and Privacy for a full explanation of which actions trigger step-up prompts and how the grace period works.

Next Steps