> ## Documentation Index
> Fetch the complete documentation index at: https://docs.elementum.io/llms.txt
> Use this file to discover all available pages before exploring further.

# Multi-Factor Authentication (MFA)

> Add an extra layer of security to your Elementum account with time-based one-time passwords

## Overview

Multi-Factor Authentication (MFA) adds an additional security layer to your Elementum account by requiring a time-based verification code during login. Even if your password is compromised, unauthorized users cannot access your account without the code from your authenticator app.

**Key Benefits:**

* **Reduced Risk**: Compromised passwords alone cannot grant account access
* **Industry Standard**: Uses TOTP (Time-based One-Time Password) protocol supported by all major authenticator apps
* **User Control**: Enable or disable MFA from your account settings at any time
* **Simple Setup**: Configure in minutes with any compatible authenticator app

***

## Who Should Enable MFA

<Tabs>
  <Tab title="Recommended For">
    * Users with access to sensitive business data
    * Organization administrators
    * Users managing automations and integrations
    * Anyone seeking enhanced account security
  </Tab>

  <Tab title="Especially Important For">
    * Accounts not protected by SSO/SAML
    * Users accessing Elementum from multiple devices
    * Accounts with elevated permissions
    * Compliance-sensitive environments
  </Tab>
</Tabs>

<Info>
  If your organization uses SSO with an Identity Provider that already enforces MFA (such as Okta or Azure AD with MFA policies), you may already have multi-factor protection at the IdP level.
</Info>

***

## Supported Authenticator Apps

MFA works with any authenticator app that supports the TOTP standard, including:

| App                         | Platforms             | Notes                                |
| --------------------------- | --------------------- | ------------------------------------ |
| **Google Authenticator**    | iOS, Android          | Free, simple interface               |
| **Microsoft Authenticator** | iOS, Android          | Includes backup and cloud sync       |
| **Okta Verify**             | iOS, Android          | Common in enterprise environments    |
| **1Password**               | iOS, Android, Desktop | Integrated with password management  |
| **Authy**                   | iOS, Android, Desktop | Multi-device sync and backup         |
| **Duo Mobile**              | iOS, Android          | Enterprise-focused with push options |

***

## Set Up MFA

Before enabling MFA, ensure you have:

* An Elementum account with password-based authentication
* A smartphone or device with an authenticator app installed
* Access to scan a QR code or manually enter a setup key

<Steps>
  <Step title="Navigate to Account Security">
    1. Click your profile icon in the bottom-left corner of Elementum
    2. Navigate to the **Security** tab
  </Step>

  <Step title="Initiate MFA Setup">
    1. Locate the **Multi-Factor Authentication** section
    2. Click **Enable MFA** to begin setup
    3. A QR code will be displayed on screen
  </Step>

  <Step title="Scan the QR Code">
    1. Open your authenticator app on your mobile device
    2. Select the option to add a new account (usually a **+** icon)
    3. Choose **Scan QR code** or **Scan barcode**
    4. Point your device camera at the QR code displayed in Elementum

    <Accordion title="Can't scan the QR code?">
      If you cannot scan the QR code (e.g., using a desktop authenticator or camera issues):

      1. Click **Can't scan? Enter code manually** below the QR code
      2. Copy the secret key displayed
      3. In your authenticator app, select **Enter setup key manually**
      4. Enter:
         * **Account name**: Your Elementum email or "Elementum"
         * **Secret key**: Paste the copied key
         * **Type**: Time-based (TOTP)
    </Accordion>
  </Step>

  <Step title="Verify and Activate">
    1. Your authenticator app will display a 6-digit code that refreshes every 30 seconds
    2. Enter the current code in the **Verification code** field in Elementum
    3. Click **Verify and Enable**
    4. You'll see a confirmation message that MFA is now active
  </Step>

  <Step title="Confirm Setup Complete">
    After successful verification:

    * The MFA section will show **Enabled** status
    * Your next login will require both password and authenticator code
  </Step>
</Steps>

<Warning>
  **Important**: Your authenticator app is now required for every login. Ensure you don't uninstall the app or lose access to your device without first disabling MFA or setting up the app on a new device.
</Warning>

***

## Log In with MFA

Once MFA is enabled, your login process includes an additional verification step:

1. Navigate to the Elementum login page
2. Enter your email and password, then click **Log In**
3. When prompted, open your authenticator app and find your Elementum account entry
4. Enter the 6-digit code currently displayed and click **Verify**

<Info>
  Codes refresh every 30 seconds. If your code is about to expire (timer nearly empty), wait for the next code to ensure you have enough time to enter it.
</Info>

***

## Manage MFA

### View MFA Status

To check your current MFA status:

1. Go to **Account Settings** > **Security**
2. The **Multi-Factor Authentication** section displays:
   * **Enabled**: MFA is active on your account
   * **Disabled**: MFA is not configured

### Disable MFA

<Warning>
  Disabling MFA reduces your account security. Only disable if necessary, and re-enable as soon as possible.
</Warning>

To disable MFA:

1. Go to **Account Settings** > **Security**
2. In the **Multi-Factor Authentication** section, click **Disable MFA**
3. Enter your password or current authenticator code when prompted
4. Click **Confirm** to disable MFA

***

## Best Practices

<AccordionGroup>
  <Accordion title="Use an authenticator with backup">
    Choose an authenticator app that supports cloud backup or multi-device sync (Microsoft Authenticator, Authy, 1Password). This makes device transitions seamless and provides recovery options.
  </Accordion>

  <Accordion title="Don't share screenshots of QR codes">
    The QR code contains your secret key. Never share, screenshot, or store QR codes in unsecured locations.
  </Accordion>

  <Accordion title="Keep your authenticator app updated">
    Ensure your authenticator app is updated to the latest version for security patches and compatibility.
  </Accordion>

  <Accordion title="Plan for device changes">
    Before switching phones or resetting your device:

    1. Disable MFA in Elementum while you still have access
    2. Set up your new device
    3. Re-enable MFA with a fresh QR code scan
  </Accordion>

  <Accordion title="Verify your device clock">
    TOTP codes depend on accurate time. Enable automatic time sync on your device to prevent code validation issues.
  </Accordion>
</AccordionGroup>

***

## Related Documentation

<CardGroup cols={2}>
  <Card title="MFA FAQ" icon="circle-question" href="/support/faq/faq-mfa">
    Frequently asked questions about Multi-Factor Authentication
  </Card>

  <Card title="SSO Configuration" icon="key" href="/administration/sso-saml-setup">
    Configure Single Sign-On with SAML 2.0 for centralized authentication
  </Card>
</CardGroup>

***

*Last updated: January 2025*
