Multi-Factor Authentication (MFA)

Multi-Factor Authentication (MFA) adds an extra layer of security to your Alokai Console account by requiring a second form of authentication in addition to your password. The console supports Time-based One-Time Password (TOTP) authentication using authenticator apps.

MFA Availability

Who Can Use MFA

MFA is available only for standard console accounts that use email and password authentication.

Who Cannot Use MFA

MFA is not available for:

SSO-authenticated accounts: Users who log in through their organization's Single Sign-On
GitHub-authenticated accounts: Users who log in using their GitHub account

MFA for SSO Users

If your organization uses SSO and requires multi-factor authentication, this must be configured at your Identity Provider level (such as Okta, Azure AD, or Google Workspace). The Alokai Console does not manage MFA for SSO accounts - your identity provider handles all authentication security requirements.

How to Enable MFA

Prerequisites

Before enabling MFA, install an authenticator app on your mobile device or computer:

Google Authenticator (iOS/Android)
Authy (iOS/Android/Desktop)
Microsoft Authenticator (iOS/Android)
1Password (iOS/Android/Desktop)
Any other TOTP-compatible authenticator app

Setup Process

Navigate to Profile Settings
- Go to your Profile → Profile Details
- Find the "Multi Factor Authentication" section
Start MFA Setup
- Click "Add authenticator" button
- A setup modal will open with step-by-step instructions
Configure Your Authenticator
- Scan QR Code: Use your authenticator app to scan the displayed QR code
- Manual Entry: If you can't scan, manually enter the provided setup key
- Name Your Device: Give your authenticator a recognizable name (up to 250 characters)
Verify Setup
- Enter the 6-digit code from your authenticator app
- Click "Verify and Enable"
Save Backup Codes
- Download your backup codes immediately after setup
- Store them securely - they can only be used once each
- Each backup code format: XXXXX-XXXXX

Managing MFA

Adding Multiple Authenticators

You can add multiple authenticator apps and devices to your account for enhanced security and convenience:

Multiple Apps: Use different authenticator apps (Google Authenticator, Authy, 1Password, etc.)
Multiple Devices: Add the same account to authenticators on different devices (phone, tablet, computer)
Unique Names: Give each authenticator a unique, descriptive name to identify them easily
All Generate Valid Codes: Each configured authenticator will generate valid codes for your account

Important: When you add a new authenticator, new backup codes are automatically generated, and the previous set becomes invalid.

Managing Your Authenticators

In your Profile Details, you can:

View all configured authenticators with their custom names
Delete individual authenticators you no longer use
Add new authenticators at any time

Backup Codes Management

Important: Only the most recently generated backup codes are valid. Each set contains 10 unique codes.

When New Backup Codes Are Generated:

Adding a new authenticator: Automatically generates a new set of 10 backup codes
Manual regeneration: Click "Generate backup codes" in the MFA section
Previous codes are immediately invalidated when new ones are generated

Backup Code Updates:

Update your password manager: If you store backup codes in 1Password, LastPass, or similar tools, replace the old codes with the new ones immediately
Download and store securely: Always download the new backup codes and store them in a secure location
One-time use: Each backup code can only be used once

Disabling MFA

To disable MFA completely:

Remove all configured authenticators from your account individually
MFA is automatically disabled when you delete the last remaining authenticator
Verification required - you'll need to provide a verification code when removing the final authenticator

Note: There is no separate "Disable MFA" option - simply remove all authenticators to disable MFA protection.

Using MFA

When MFA is enabled on your account:

Enter your email and password as usual
MFA verification modal will appear
Enter either:
- 6-digit code from any of your configured authenticator apps, OR
- Backup code in format XXXXX-XXXXX
Optionally check "Trust this computer" for 30 days (if desired)

Using Backup Codes

Backup codes can be used in any MFA verification window:

Format: XXXXX-XXXXX (5 digits, hyphen, 5 digits)
One-time use: Each backup code can only be used once
Universal: Works for login, password reset, and any other MFA prompt
Current set only: Only the most recently generated set of backup codes will work

Password Reset with MFA

If you need to reset your password and have MFA enabled:

The password reset process will include additional MFA verification
You'll need to verify your identity with your authenticator or backup code
This trust token system ensures account security during password changes

Security Best Practices

Backup Codes

Download immediately after MFA setup
Store securely offline (not in cloud storage or email)
Don't screenshot or save them in easily accessible locations
Generate new codes periodically and securely dispose of old ones

Authenticator Management

Use recognizable names for multiple devices
Remove old devices you no longer have access to
Keep your authenticator app updated

Account Security

Don't disable MFA unless absolutely necessary
Enable MFA immediately after account creation
Use unique passwords combined with MFA for maximum security

Troubleshooting

Can't Access Your Authenticator?

Use one of your backup codes to log in
Remove the lost authenticator from your account settings
Add a new authenticator device

Codes Not Working?

Ensure your device's time is synchronized correctly
Check that you're using the correct authenticator for your account
Try using a backup code instead

Lost Backup Codes?

Log in using your authenticator
Navigate to Profile Details → MFA section
Generate new backup codes (this invalidates the old ones)

Support

If you encounter issues with MFA setup or usage, please contact our support team. We're here to help ensure your account remains secure and accessible.