Two-factor authentication
Overview
Section titled “Overview”Two-factor authentication adds a second check beyond your password: a time-based one-time code (TOTP) from an authenticator app. Even if your password is ever compromised, a sign-in attempt still needs the code from your device.
When you enable it, GrowthOS shows a QR code to scan with an authenticator app and generates a set of one-time backup codes. The backup codes exist for the case where you lose access to your authenticator device; each one works exactly once.
This is a personal security setting, tied to your account rather than any single workspace, so enabling it protects your access across every organization you belong to.
What you can do here
Section titled “What you can do here”- Enable TOTP two-factor authentication with an authenticator app.
- Generate and download backup codes for device-loss scenarios.
- Verify a login challenge with a code when signing in from a new device.
- Disable and re-enable two-factor authentication if you change authenticator apps.
When to use
Section titled “When to use”- Hardening your personal account security, ideally during first login.
- Before traveling or using new devices where account security matters more.
- Immediately after any suspicion that your password may have leaked.
Prerequisites
Section titled “Prerequisites”- A signed-in member account.
- An authenticator app installed on your phone (for example Google Authenticator or Authy).
Where to find it
Section titled “Where to find it”- Account menu → Security → Two-factor authentication
- Direct route:
/settings/security/2fa
Step-by-step
Section titled “Step-by-step”- Open
/settings/security/2fa. - Start the setup flow and scan the QR code with your authenticator app.
- Enter the generated code to confirm the app is linked correctly.
- Save the backup codes somewhere secure, outside the app.
- Sign out and sign back in to confirm the challenge works as expected.
- Revisit this page if you switch authenticator apps or lose your device.
What success looks like
Section titled “What success looks like”- Two-factor authentication shows as enabled on this page.
- You have backup codes stored somewhere safe outside the app.
- Signing in from a new device correctly prompts for a code.
Tips & best practices
Section titled “Tips & best practices”- Store backup codes offline immediately after enabling; do not rely on memory.
- Use an authenticator app rather than SMS where possible, since SMS is easier to intercept.
- Re-generate backup codes if you ever suspect they were exposed.
Common mistakes
Section titled “Common mistakes”- Enabling two-factor authentication without saving backup codes, then losing access when the phone is lost.
- Assuming two-factor authentication is workspace-specific; it protects your whole account.
- Postponing setup indefinitely instead of doing it during first login when it is top of mind.