> ## Documentation Index
> Fetch the complete documentation index at: https://docs.openlayer.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Multi-factor Authentication

> Learn how to configure multi-factor authentication (MFA) for your Openlayer account.

To add an additional layer of security to your Openlayer account, you can enable multi-factor authentication (MFA). This feature requires you to provide a second form of verification when logging in. Openlayer supports the following MFA method:

* **Authenticator App**: Use an authenticator app like Google Authenticator, Authy, or 1Password to generate a time-based one-time password (TOTP).

## Enabling Multi-factor Authentication

<Steps>
  <Step title="Navigate to Account Settings">
    Go to **Workspace settings** → **Account** → **Authentication**
  </Step>

  <Step title="Enable the Authenticator App">
    In the "Authenticator app (TOTP)" section, click **Enable**
  </Step>

  <Step title="Set up your authenticator app">
    Follow the setup steps (see below)
  </Step>

  <Step title="Verify your setup">
    Enter the 6-digit code from your authenticator app to confirm
  </Step>

  <Step title="Save your recovery codes">
    Store the recovery codes in a safe place (see Recovery Codes section below)
  </Step>
</Steps>

The Authentication page shows options to require MFA, enable an authenticator app, and generate recovery codes:

<img width="700" style={{ borderRadius: "0.5rem" }} src="https://mintcdn.com/openlayer-44/fP67-GsjgJFSVmEL/images/documentation/mfa_config.png?fit=max&auto=format&n=fP67-GsjgJFSVmEL&q=85&s=79640562784bdb2ac838de8920df2080" alt="Authentication settings with MFA options" data-path="images/documentation/mfa_config.png" />

## Configuring an Authenticator App (TOTP)

When you enable the authenticator app, you will see a setup dialog where you can scan a QR code or enter the setup key manually, then enter the 6-digit code from your app to verify:

<img width="700" style={{ borderRadius: "0.5rem" }} src="https://mintcdn.com/openlayer-44/fP67-GsjgJFSVmEL/images/documentation/mfa_setup.png?fit=max&auto=format&n=fP67-GsjgJFSVmEL&q=85&s=b34d5ee2eef21546be5edc0d15182727" alt="Enable authenticator app setup with QR code and verification" data-path="images/documentation/mfa_setup.png" />

1. **QR code**: Scan the QR code with your authenticator app (Google Authenticator, Authy, 1Password, etc.)
2. **Manual setup key**: If you cannot scan the QR code, you can manually enter the setup key displayed on the screen (or copy it using the copy icon)
3. **Verification**: Once added to your app, enter the 6-digit code it generates in the verification boxes and click **Confirm**

The authenticator app will generate a new code every 30 seconds. Use the current code when signing in to Openlayer.

## Signing In with MFA Enabled

When you have MFA enabled on your account:

1. Enter your email and password on the login page
2. When prompted, enter the 6-digit code from your authenticator app, or use a recovery code if you don't have access to your authenticator
3. You will be signed in once the code is verified

If you lose access to your authenticator app, you can sign in using one of your recovery codes. Each recovery code can only be used once.

## Recovery Codes

After setting up multi-factor authentication, you will receive recovery codes. These codes allow you to access your account if you lose access to your authenticator app.

<img width="700" style={{ borderRadius: "0.5rem" }} src="https://mintcdn.com/openlayer-44/fP67-GsjgJFSVmEL/images/documentation/mfa_recovery_codes.png?fit=max&auto=format&n=fP67-GsjgJFSVmEL&q=85&s=46e0a560e652ef97f29f7fc494ccbd2b" alt="Recovery codes modal with copy and download options" data-path="images/documentation/mfa_recovery_codes.png" />

### Important Notes

* **Store codes securely**: Save your recovery codes in a safe place (e.g., a password manager or secure note)
* **One-time use**: Each recovery code can only be used once
* **Regenerate when needed**: You can generate a new set of recovery codes at any time
  from **Settings** → **Account** → **Authentication** → **Recovery codes** → **Generate**
* **Download or copy**: You can download the codes as a text file or copy them to your clipboard when they are generated

<Warning>
  Generating new recovery codes invalidates your previous set. Make sure to save
  the new codes and update your secure storage.
</Warning>

## Managing MFA

### Regenerating Recovery Codes

If you've used many of your recovery codes or suspect they may have been compromised, you can generate a new set:

1. Go to **Settings** → **Account** → **Authentication**
2. Click **Generate** in the Recovery codes section
3. Save the new codes securely—your previous codes will no longer work

## Enforcing Multi-factor Authentication

Workspace admins can require MFA for all members of their workspace. When enforced, members must enable MFA on their account before they can access the workspace.

### Prerequisites

* You must be a workspace admin
* **You must have MFA enabled on your own account first** before you can require it for workspace members

### How to Enforce MFA for Your Workspace

<Steps>
  <Step title="Enable MFA on Your Account">
    If you haven't already, enable MFA from **Settings** → **Account** →
    **Authentication**
  </Step>

  <Step title="Navigate to Workspace Security Settings">
    Go to **Workspace settings** → **Security and Privacy**
  </Step>

  <Step title="Enable Require MFA">
    Toggle **Require multi-factor authentication** to enable
  </Step>
</Steps>

When MFA is required for a workspace:

* New and existing members without MFA will be prompted to enable it before they can access the workspace
* Members who try to sign in will be redirected to the Authentication settings page to complete MFA setup
* Once MFA is enabled, they can proceed with normal sign-in (password + authenticator code or recovery code)

## Frequently Asked Questions

<AccordionGroup>
  <Accordion title="Which authenticator apps are supported?">
    Openlayer works with any TOTP-compatible authenticator app, including
    Google Authenticator, Authy, 1Password, Microsoft Authenticator, and
    similar apps.
  </Accordion>

  {" "}

  <Accordion title="What if I lose access to my authenticator app and recovery codes?">
    {" "}

    If you've lost access to both your authenticator app and recovery codes, please
    contact our support team at [support@openlayer.com](mailto:support@openlayer.com). We can help verify your identity
    and assist with account recovery.
  </Accordion>

  {" "}

  <Accordion title="Does MFA work with SAML SSO?">
    {" "}

    When using SAML SSO, MFA is typically handled by your identity provider (IdP).
    Openlayer's built-in MFA applies to email/password authentication. If your workspace
    uses SAML SSO, configure MFA in your IdP settings.
  </Accordion>

  {" "}

  <Accordion title="Can I use the same authenticator app for multiple accounts?">
    {" "}

    Yes. Your authenticator app can store multiple accounts. When you add Openlayer,
    it will appear as a separate entry (e.g., "Openlayer ([your@email.com](mailto:your@email.com))") alongside
    your other accounts.
  </Accordion>

  <Accordion title="How do I disable MFA?">
    If you need to disable MFA on your account, contact our support team at
    [support@openlayer.com](mailto:support@openlayer.com). You may need to verify your identity before MFA can
    be disabled.
  </Accordion>
</AccordionGroup>