> ## Documentation Index
> Fetch the complete documentation index at: https://docs.elementum.io/llms.txt
> Use this file to discover all available pages before exploring further.

# MFA FAQ

> Frequently asked questions about Multi-Factor Authentication in Elementum

## General Questions

<AccordionGroup>
  <Accordion title="What is Multi-Factor Authentication (MFA)?">
    Multi-Factor Authentication (MFA) is a security feature that requires two forms of verification when you log in:

    1. **Something you know**: Your password
    2. **Something you have**: A time-based code from your authenticator app

    Even if someone discovers your password, they cannot access your account without also having access to your authenticator device.
  </Accordion>

  <Accordion title="Why should I enable MFA?">
    MFA significantly reduces the risk of unauthorized account access. Benefits include:

    * **Protection against password breaches**: If your password is compromised in a data breach, attackers still can't access your account
    * **Defense against phishing**: Even if you accidentally enter your password on a fake site, attackers can't log in without your authenticator code
    * **Compliance**: Many security standards and regulations recommend or require MFA
    * **Peace of mind**: Know that your account and data are protected by an additional security layer
  </Accordion>

  <Accordion title="Is MFA required?">
    MFA is currently **optional and user-controlled**. You can enable or disable it at any time from your Account Settings.

    Your organization may have policies recommending or requiring MFA for certain roles. Check with your administrator for your organization's specific requirements.

    <Info>
      Admin-enforced MFA (where organizations can require MFA for all users) is planned for a future release.
    </Info>
  </Accordion>

  <Accordion title="Does MFA work with Single Sign-On (SSO)?">
    If your organization uses SSO with an Identity Provider (like Okta, Azure AD, or Google Workspace), your MFA experience depends on your setup:

    * **IdP-level MFA**: Your Identity Provider may already enforce MFA during SSO login. In this case, Elementum MFA may be redundant.
    * **Elementum MFA + SSO**: You can enable Elementum MFA in addition to SSO, adding another layer of security.
    * **SSO-only organizations**: If SSO is enforced and local login is disabled, Elementum MFA options may not be available.

    Check with your administrator to understand your organization's authentication configuration.
  </Accordion>
</AccordionGroup>

***

## Setup Questions

<AccordionGroup>
  <Accordion title="Which authenticator apps are supported?">
    Elementum MFA works with any authenticator app that supports the TOTP (Time-based One-Time Password) standard, including:

    * **Google Authenticator** (iOS, Android)
    * **Microsoft Authenticator** (iOS, Android)
    * **Okta Verify** (iOS, Android)
    * **1Password** (iOS, Android, Desktop)
    * **Authy** (iOS, Android, Desktop)
    * **Duo Mobile** (iOS, Android)
    * **LastPass Authenticator** (iOS, Android)
    * Many others

    We recommend choosing an app that supports **cloud backup** or **multi-device sync** (like Microsoft Authenticator, Authy, or 1Password) for easier device transitions.
  </Accordion>

  <Accordion title="Can I use MFA on multiple devices?">
    Each MFA setup is tied to **one authenticator entry**. However, depending on your authenticator app:

    * **Apps with sync** (Microsoft Authenticator, Authy, 1Password): Your codes automatically sync across devices signed into the same account
    * **Apps without sync** (Google Authenticator): Codes exist only on the device where you scanned the QR code

    If your app supports sync, you effectively have MFA access on multiple devices. If not, you'll need to use the specific device where MFA was set up.

    <Tip>
      To switch your primary MFA device, disable MFA while you have access, then re-enable it on your preferred device.
    </Tip>
  </Accordion>

  <Accordion title="What if I can't scan the QR code?">
    If you can't scan the QR code (camera issues, using desktop authenticator, etc.):

    1. Click **Can't scan? Enter code manually** below the QR code
    2. Copy the displayed secret key
    3. In your authenticator app, choose **Enter setup key manually** or similar
    4. Enter the account name (e.g., "Elementum") and paste the secret key
    5. Ensure **Time-based (TOTP)** is selected as the key type
    6. Save and use the generated code to verify setup
  </Accordion>

  <Accordion title="Can I use SMS or email codes instead of an app?">
    No. MFA currently supports **only TOTP authenticator apps**. SMS and email-based verification are not available.

    TOTP apps are generally more secure than SMS (which can be intercepted through SIM swapping attacks) and more reliable than email (which can have delivery delays).
  </Accordion>

  <Accordion title="Can I use a hardware security key (like YubiKey)?">
    Hardware security keys are **not currently supported**. Only TOTP-based authenticator apps are supported.

    Support for hardware security keys may be considered for future releases.
  </Accordion>
</AccordionGroup>

***

## Usage Questions

<AccordionGroup>
  <Accordion title="How often will I be prompted for MFA?">
    You'll be prompted for your authenticator code:

    * **Every new login**: When you enter your username and password
    * **After session expiration**: When your session times out due to inactivity
    * **After logging out**: When you explicitly log out and log back in

    You will **not** be prompted:

    * While actively using Elementum within a session
    * When switching between pages or apps within Elementum
    * If you're already logged in and open a new browser tab
  </Accordion>

  <Accordion title="My code was rejected. What should I do?">
    The most common cause of rejected codes is **time sync issues**. Try these steps:

    1. **Enable automatic time** on your device:
       * iOS: Settings > General > Date & Time > Set Automatically
       * Android: Settings > System > Date & time > Automatic
    2. **Wait for a fresh code**: If your current code is nearly expired, wait for the next one
    3. **Verify the correct entry**: Make sure you're using the code for Elementum, not another service
    4. **Force time sync** in your authenticator app (if available)
  </Accordion>

  <Accordion title="Does MFA affect API access?">
    No. MFA applies only to **interactive login** through the Elementum web interface.

    API access using API keys or service account credentials is **not affected** by MFA. API authentication continues to work as before.

    This is standard practice—API calls are typically automated and can't interactively provide MFA codes.
  </Accordion>

  <Accordion title="Will MFA slow down my login?">
    MFA adds one additional step to login: entering a 6-digit code. For most users, this adds only a few seconds.

    Tips for a smooth experience:

    * Keep your authenticator app easily accessible
    * Use Face ID/Touch ID to unlock your authenticator quickly
    * Enter codes promptly when they appear (they're valid for 30 seconds)
  </Accordion>
</AccordionGroup>

***

## Recovery Questions

<AccordionGroup>
  <Accordion title="What if I lose access to my authenticator?">
    If you lose access to your authenticator device (phone lost, broken, or reset):

    1. **Contact your organization administrator**
    2. **Verify your identity** through your organization's process
    3. **Administrator requests MFA removal** from Elementum Support
    4. **Once MFA is disabled**, log in with your password only
    5. **Immediately re-enable MFA** on your new device

    <Warning>
      **Backup codes are not currently available.** This is why we recommend using an authenticator with cloud backup capability.
    </Warning>
  </Accordion>

  <Accordion title="Are there backup codes?">
    **No, backup codes are not currently available.**

    To protect yourself:

    * Use an authenticator app with **backup/sync features** (Microsoft Authenticator, Authy, 1Password)
    * Know your organization's **recovery process** before you need it
    * Consider setting up your authenticator on multiple devices if your app supports sync

    Backup codes are planned for a future release.
  </Accordion>

  <Accordion title="Can I recover my account myself if locked out?">
    Currently, **no**. If you lose access to your authenticator and can't generate codes, you must:

    1. Contact your organization administrator
    2. Complete identity verification
    3. Have them request MFA removal from Elementum Support

    Self-service recovery options (like backup codes) are planned for future releases.
  </Accordion>

  <Accordion title="How do I switch to a new phone?">
    **Before** disposing of or resetting your old phone:

    1. Log into Elementum using your old phone's authenticator
    2. Go to **Account Settings** > **Security**
    3. **Disable MFA**
    4. Set up your authenticator app on your new phone
    5. **Re-enable MFA** and scan the new QR code

    **If you already switched** and can't access your old authenticator:

    * If your app has cloud backup, restore on your new device
    * If not, follow the lost device recovery process
  </Accordion>
</AccordionGroup>

***

## Administrator Questions

<AccordionGroup>
  <Accordion title="Can administrators enforce MFA for all users?">
    **Not currently.** MFA is currently user opt-in only.

    Admin-enforced MFA is on the roadmap for a future release. This will allow administrators to:

    * Require MFA for all users
    * Require MFA for specific roles
    * Set grace periods for compliance
    * Monitor enrollment status

    Currently, administrators can encourage adoption through communication and policy, but cannot technically enforce it.
  </Accordion>

  <Accordion title="Can administrators see who has MFA enabled?">
    There is **no dedicated MFA enrollment report** currently available.

    Administrators can:

    * Review the **Activity Log** for MFA enablement/disablement events
    * Manually track adoption through user communications
    * Contact Elementum Support for assistance with adoption data

    Bulk MFA reporting is planned for future releases.
  </Accordion>

  <Accordion title="How do administrators help users who are locked out?">
    When a user loses authenticator access:

    1. **Verify the user's identity** through your established process (manager confirmation, HR verification, security questions, etc.)
    2. **Contact Elementum Support** with:
       * User's email address
       * Confirmation that identity was verified
       * Your administrator credentials/authorization
    3. **Support disables MFA** for the user's account
    4. **Notify the user** to log in and re-enable MFA
  </Accordion>

  <Accordion title="Does MFA affect service accounts?">
    No. [Service accounts](/administration/service-accounts) are API-only accounts that cannot be used for interactive login. MFA does not apply to service accounts.
  </Accordion>
</AccordionGroup>

***

## Security Questions

<AccordionGroup>
  <Accordion title="How secure is TOTP-based MFA?">
    TOTP (Time-based One-Time Password) MFA is a well-established security standard (RFC 6238) used by major platforms worldwide. Key security properties:

    * **Codes are time-limited**: Valid for only 30 seconds
    * **Codes are one-time use**: Cannot be reused even within the validity window
    * **Secret is device-bound**: The secret key never leaves your authenticator device during normal use
    * **Offline generation**: Codes are generated locally without network communication
    * **No shared database**: Elementum doesn't store your actual codes, only verifies them

    While no security measure is perfect, TOTP MFA significantly raises the bar for attackers.
  </Accordion>

  <Accordion title="What data does Elementum store for MFA?">
    For MFA, Elementum stores:

    * **Your MFA enrollment status** (enabled/disabled)
    * **An encrypted secret key** used to verify your codes
    * **Timestamps** of MFA events (enable, disable, successful/failed verifications)

    Elementum does **not** store:

    * Your actual authenticator codes
    * Access to your authenticator app or device
    * Your device information (beyond what's in normal access logs)
  </Accordion>

  <Accordion title="Can MFA be bypassed?">
    MFA cannot be bypassed through the normal login flow. However:

    * **Account recovery**: Administrators can request MFA removal for account recovery (after identity verification)
    * **Session hijacking**: If an attacker compromises an active session, MFA won't help (it protects login, not existing sessions)
    * **SSO bypass**: If your organization uses SSO, attackers who compromise your IdP credentials may not need Elementum MFA

    MFA is one layer in a security strategy—it works best alongside strong passwords, session management, and security awareness.
  </Accordion>
</AccordionGroup>

***

## Current Limitations

<Accordion title="What features are not currently available?">
  The following features are **not currently available** for MFA:

  | Feature                      | Status                           |
  | ---------------------------- | -------------------------------- |
  | Backup codes                 | Not available                    |
  | SMS verification             | Not supported                    |
  | Email verification           | Not supported                    |
  | Hardware security keys       | Not supported                    |
  | Admin enforcement            | Not available                    |
  | Multiple device registration | Single setup (use app with sync) |
  | Enrollment reporting         | Not available                    |
  | Conditional MFA (risk-based) | Not available                    |

  These features may be added in future releases.
</Accordion>

***

## Related Documentation

<CardGroup cols={2}>
  <Card title="MFA Feature Overview" icon="shield-check" href="/administration/multi-factor-authentication">
    Complete setup and usage guide
  </Card>

  <Card title="SSO Configuration" icon="key" href="/administration/sso-saml-setup">
    Single Sign-On setup guide
  </Card>
</CardGroup>

***

*Last updated: January 2025*
