Two-Factor Authentication
Protect your account with authenticator apps and passkeys
Two-Factor Authentication
Two-factor authentication (2FA) adds a second verification step when you sign in. Even if your password is compromised, your account stays protected.
UserHero supports two methods:
- Authenticator apps (TOTP) — Google Authenticator, Authy, 1Password, and similar apps
- Passkeys — Fingerprint, Face ID, security keys, or device-based credentials
You can use one or both methods simultaneously.
Setting Up an Authenticator App
- Go to Account Settings and scroll to the Two-Factor Authentication section
- Click "Set up authenticator app"
- Scan the QR code with your authenticator app
- If you can't scan, click the manual entry option to copy the secret key
- Enter the 6-digit code from your authenticator app
- Click Verify
After verification, you'll see your recovery codes. Save these immediately — they are your backup if you lose access to your authenticator.
Adding a Passkey
Passkeys let you verify with your fingerprint, face, or a hardware security key instead of typing a code.
- Go to Account Settings → Two-Factor Authentication
- Click "Add passkey"
- Optionally enter a name (e.g. "MacBook Pro" or "YubiKey")
- Click Register
- Complete the browser prompt (fingerprint, Face ID, or security key tap)
Your passkey appears in the list showing its name, type (synced or device-bound), and creation date.
You can register multiple passkeys — for example, one on your laptop and one on your phone.
Recovery Codes
When you enable your first 2FA method, UserHero generates 8 single-use recovery codes. These are your safety net if you lose access to both your authenticator app and passkeys.
Saving Recovery Codes
- Download as a
.txtfile - Copy to your clipboard and paste into a password manager
You must check the confirmation box before closing the recovery codes dialog.
Recovery codes are shown only once. If you lose both your authenticator and your recovery codes, you may be locked out of your account.
Regenerating Recovery Codes
If you've used some codes or want fresh ones:
- Go to Account Settings → Two-Factor Authentication
- Click "Regenerate" under Recovery Codes
- Verify your identity with your authenticator code or passkey
- Save the new codes
Regenerating invalidates all previous codes.
Signing In with 2FA
After entering your email and password, you'll see a verification screen:
- Authenticator: Enter the 6-digit code from your app
- Passkey: Click "Verify with passkey" and complete the browser prompt
- Recovery code: Click "Use recovery code" and enter one of your saved codes
Only the methods you've enrolled appear on this screen. For example, if you only set up an authenticator app, you won't see the passkey option.
Recovery Code Usage
Each recovery code works only once. After using one, your remaining count decreases. You'll also receive an email notification when a recovery code is used.
Removing 2FA
Removing an Authenticator App
- Go to Account Settings → Two-Factor Authentication
- Click "Remove" next to the authenticator app section
- Enter your current 6-digit code to confirm
Deleting a Passkey
- Go to Account Settings → Two-Factor Authentication
- Find the passkey in the list
- Click the delete button
If you remove your last 2FA method, two-factor authentication is fully disabled on your account. You'll receive an email notification.
Workspace Enforcement
Workspace owners and admins can require all members to enable 2FA.
Enabling Enforcement
- Go to Workspace Settings → Security tab
- Turn on "Require two-factor authentication"
- Choose a grace period (3, 7, 14, or 30 days)
What Members See
- During the grace period: A banner appears with the deadline to set up 2FA
- After the grace period: Access to the workspace is blocked until 2FA is set up. A button navigates directly to account security settings.
New members invited to an enforcing workspace must set up 2FA before they can access any workspace content.
Disabling Enforcement
Turn off the toggle in Workspace Settings → Security. The banner and any access blocks are removed for all members immediately.
OAuth Provider Trust
If your workspace uses Google or Microsoft sign-in, owners can choose to trust these providers as a second factor.
- Go to Workspace Settings → Security tab
- Turn on "Trust OAuth providers"
When enabled, members who sign in via Google or Microsoft skip the 2FA challenge. Members who sign in with email and password still need to verify.
Email Notifications
UserHero sends email alerts for important 2FA events:
| Event | Notification |
|---|---|
| Authenticator app enabled | Immediate email to the account holder |
| New passkey added | Immediate email to the account holder |
| 2FA disabled | Immediate email to the account holder |
| Recovery code used | Immediate email to the account holder |
If you receive a notification you don't recognize, change your password immediately and regenerate your recovery codes.
Troubleshooting
Authenticator Code Not Working
- Ensure the time on your device is accurate (TOTP codes are time-based)
- Use the latest code — codes rotate every 30 seconds
- If you recently switched phones, re-enroll your authenticator
Passkey Not Working
- Make sure you're using the same browser and device where the passkey was registered
- Synced passkeys (iCloud Keychain, Google Password Manager) work across devices on the same account
- Device-bound passkeys only work on the specific device
Locked Out
If you've lost access to all your 2FA methods and recovery codes, contact support at hello@userhero.co for account recovery verification.
Rate Limited
After 5 failed verification attempts, your account is temporarily locked from further attempts. Wait a few minutes before trying again.