All documentation · Signing in & security

Two-factor authentication

Turn on TOTP two-factor authentication, store your 10 backup codes, regenerate them when they run out, and disable 2FA if you need to.

7 min read · Reviewed

Two-factor authentication means a stolen password is not enough to reach your workspace. Clyentra uses TOTP — a rotating 6-digit code from an authenticator app on your phone. This page covers enabling it, the backup codes, regenerating them, and turning 2FA off.

Clyentra works with Google Authenticator, Authy, or any TOTP app. There is no SMS option, which is a feature: SIM-swap attacks do not work against an app-based code.

You may have already been offered this: Clyentra prompts for 2FA right after signup on a screen headed Secure your new account. If you pressed Skip for now, a red dot sits on your profile menu until you turn it on. Follow this page to finish the job.

Enable 2FA

2FA lives at /profile → the Security tab → the Authenticator sub-tab. The card is headed Two-Factor Authentication and carries a badge showing Active or Off.

  1. Press Enable 2FA. Clyentra generates a secret and moves you to step 1.
  2. Scan the QR code. The step is headed Scan QR Code — "Scan this with Google Authenticator, Authy, or any TOTP app." If you cannot scan, use the OR ENTER CODE MANUALLY secret below it and type it into your app. Press I've scanned the code →.
  3. Verify the setup. The step is headed Verify Setup. Enter the current six digits under 6-DIGIT CODE and press Activate 2FA. If the code is rejected, wait for your app to roll to the next one and retry — codes are time-based.
  4. Save your backup codes. A dialog appears: 2FA Enabled — Save Your Backup Codes, with the note "This dialog cannot be dismissed until you copy your codes." Press Copy & Logout.
  5. Sign in again. Enabling 2FA invalidates all of your existing sessions, so Clyentra signs you out. Sign back in — this time you will be asked for a code. See Sign in to Clyentra.

Copy the codes before you close anything: You get 10 backup codes, shown once. Each works exactly once. Paste them into your password manager, not into a note on the same phone that holds your authenticator — if you lose that phone you would lose both factors at the same time.

What changes after 2FA is on

SituationWhat Clyentra asks for
Normal sign-inYour password, then a 6-digit code under AUTHENTICATOR CODE. Press Verify & Sign In.
Phone unavailableUse the link Don't have your authenticator app? Use a backup code instead, then enter one code under BACKUP CODE.
Regenerating backup codesYour current password and a 6-digit code or an unused backup code.
Disabling 2FAYour current password and a live 6-digit code. You are then signed out.

The status card also flips to 2FA is enabled — "Your account is protected with an authenticator app." — with the Active badge and the date you turned it on.

Backup codes

Backup codes are your way back in when the authenticator is gone — a lost phone, a wiped device, a reinstalled app. At sign-in, Clyentra warns you before you spend one: "Each backup code can only be used once. Using this code will permanently invalidate it."

Manage them at /profileSecurity → the Backup Codes sub-tab. To issue a fresh set, press Regenerate Backup Codes. You must supply your Current Password and an Authentication Code — a 6-digit authenticator code, or an unused backup code if that is all you have.

Regenerating destroys the old set: Ten new codes are issued and every previous code stops working, permanently. If you have old codes written down anywhere, throw them out the moment you regenerate.

Regenerate if you have used most of your codes, if you cannot find them, or if you think someone else may have seen them.

Replacing a lost or new phone

There is no "move to new phone" button. The sequence is: sign in using a backup code, disable 2FA, then enable it again and scan the QR code with the authenticator app on the new device. Doing this issues a new secret and a new set of 10 backup codes.

Do this before you wipe the old phone: Set 2FA up on the new device while the old one still works. It turns a recovery problem into a two-minute chore.

Disable 2FA

From /profileSecurityAuthenticator, press Disable 2FA. Clyentra warns: "Disabling 2FA will remove the extra layer of protection from your account. You will be signed out once confirmed."

You must enter your Current password and a live Authenticator code. A confirmation dialog, Confirm disabling 2FA, asks once more — press Yes, disable 2FA to proceed, or Go back to cancel. On success you are signed out immediately, and the red dot returns to your profile menu.

You cannot disable 2FA without a code: Both a password and a working code are required. If you have lost the authenticator, sign in with a backup code first, then disable. If you have neither, email support@clyentra.ai from the account's email address.

Rolling it out to a team

2FA is per user, so each person enables it on their own account. Ask people with elevated permissions — owners, admins, and anyone who can touch billing, payroll, or customer data — to turn it on first. See Roles and permissions and Manage your team.

Questions people ask

Which authenticator apps work?

Any TOTP app. Clyentra names Google Authenticator and Authy on the setup screen, but 1Password, Bitwarden, Microsoft Authenticator, and similar apps all work the same way.

How many backup codes do I get?

Ten. Each can be used once. They are displayed a single time when 2FA is enabled — copy them then.

Why was I signed out when I turned 2FA on?

Enabling 2FA invalidates every existing session, so any device already signed in is cut off. Sign back in with your password plus a code.

I've used all my backup codes. What now?

Go to /profileSecurityBackup Codes and press Regenerate Backup Codes. You need your current password plus a 6-digit code (or an unused backup code). Ten new codes are issued and the old set is permanently invalidated.

My code keeps being rejected as invalid.

TOTP codes depend on the clock. Check that your phone's time is set to update automatically, then enter a fresh code as soon as your app rolls to a new one. The error is Invalid code. Please try again.

How do I move 2FA to a new phone?

Disable 2FA on your account, then enable it again and scan the new QR code with the app on the new phone. Do it while the old device still works, so you are not relying on a backup code.

Can an administrator turn on 2FA for me?

No. 2FA is enabled per user from your own profile, because only you can scan the QR code and hold the codes.

Every Clyentra guide