GitScrum
Try free

Two-Factor Authentication

Two-factor authentication (2FA) adds an extra layer of security to your GitScrum account. When enabled, you'll need both your password and a verification code from your authenticator app to sign in.

Why Enable 2FA

Account security matters. 2FA protects you against:

ThreatProtection
Password breachesStolen password alone cannot access account
Phishing attacksFake login pages cannot capture your 2FA code
Credential stuffingReused passwords from other sites are ineffective
Session hijackingPhysical access to device required

Even if someone obtains your password, they cannot access your account without the time-based code from your authenticator app.

Prerequisites

Before enabling 2FA, ensure you have:

  1. Authenticator app installed on your mobile device:
  • Google Authenticator (Android, iOS)
  • Authy (Android, iOS, Desktop)
  • 1Password (all platforms)
  • Microsoft Authenticator (Android, iOS)
  • Any TOTP-compatible app
  1. Backup method ready to store recovery codes:
  • Password manager
  • Secure document
  • Printed copy in safe location

Enabling 2FA

Step 1: Open 2FA Settings

  1. Navigate to your Profile page
  2. Click the 2FA button in the header (shows as "Enable 2FA" if not active)
  3. Modal opens with setup instructions

Step 2: Scan QR Code

  1. Open your authenticator app
  2. Add account (usually + button)
  3. Scan the QR code displayed in GitScrum
  4. Account added to your authenticator

If you cannot scan the QR code:

  • Click "Can't scan?" to reveal manual setup key
  • Enter the key manually in your authenticator app

Step 3: Verify Setup

  1. Enter the 6-digit code from your authenticator
  2. Code changes every 30 seconds - use current code
  3. Submit to verify

If verification fails:

  • Ensure device time is correct (automatic time sync recommended)
  • Wait for next code if current code is expiring
  • Try rescanning QR code

Step 4: Save Recovery Codes

After successful verification:

  1. Recovery codes display (10 single-use codes)
  2. Copy codes using the Copy button
  3. Store securely - password manager, secure document, or printed
  4. Confirm you've saved codes
  5. 2FA is now active
Recovery Codes:
ABC12-DEF34   GHI56-JKL78
MNO90-PQR12   STU34-VWX56
YZA78-BCD90   EFG12-HIJ34
KLM56-NOP78   QRS90-TUV12
WXY34-ZAB56   CDE78-FGH90

Important: Each recovery code works only once. Store them securely.

Signing In with 2FA

Once 2FA is enabled, the login process changes:

Normal Sign-In

  1. Enter email and password as usual
  2. Click Sign In
  3. 2FA prompt appears
  4. Open authenticator app
  5. Enter current 6-digit code
  6. Access granted

Using Recovery Code

If you cannot access your authenticator:

  1. Enter email and password
  2. Click "Use recovery code"
  3. Enter one of your saved recovery codes
  4. Access granted (that code is now invalidated)

Remember: Each recovery code works only once. Generate new codes if you've used several.

Managing 2FA

Viewing Current Status

Access 2FA settings from Profile:

  • Green indicator: 2FA is enabled and active
  • Message: "Your account is protected with two-factor authentication"

Viewing Recovery Codes

To see your current recovery codes:

  1. Click 2FA management button
  2. Select "View Recovery Codes"
  3. Enter current 6-digit code to verify identity
  4. Codes display - copy or note them

Regenerating Recovery Codes

If you've used recovery codes or suspect they're compromised:

  1. Click 2FA management button
  2. Select "Regenerate Codes"
  3. Enter current 6-digit code to verify
  4. New codes generated - old codes invalidated
  5. Save new codes immediately

Warning: Regenerating codes invalidates ALL previous codes. Ensure you save the new set.

Disabling 2FA

To remove 2FA from your account:

  1. Click 2FA management button
  2. Select "Disable 2FA"
  3. Warning displays about reduced security
  4. Enter current 6-digit code to confirm
  5. 2FA removed from account

Note: Disabling 2FA returns your account to password-only authentication. Consider the security implications before proceeding.

Recovery Scenarios

Lost Authenticator Access

If you lose your phone or cannot access your authenticator:

Option 1: Use Recovery Code

  1. Select "Use recovery code" at login
  2. Enter any unused recovery code
  3. Sign in and immediately set up new authenticator

Option 2: Contact Support If you have no recovery codes:

  1. Create support ticket from logged-out state
  2. Provide account verification information
  3. Support will assist with account recovery

Device Change

Moving authenticator to a new device:

Option 1: Multi-device apps (Authy)

  • Authy syncs across devices automatically
  • Install on new device and sign in to Authy account

Option 2: Manual migration

  1. Before factory reset or losing old device:
  2. Sign in to GitScrum
  3. Disable 2FA
  4. Set up new device with authenticator app
  5. Re-enable 2FA (scan with new device)
  6. Save new recovery codes

Time Sync Issues

If codes constantly fail:

IssueSolution
Device time wrongEnable automatic time setting
Manual time offsetSync time with network
App desyncUse "Time Sync" in authenticator app settings

Most authenticator apps have a time sync option in settings. Google Authenticator: Settings → Time correction for codes → Sync now.

Security Best Practices

Recovery Code Storage

Do:

  • Store in password manager
  • Keep encrypted backup
  • Print and store in secure location
  • Use secure notes app

Don't:

  • Store in plain text files
  • Email to yourself
  • Take screenshots
  • Share with others

Authenticator App Selection

Consider apps that support:

  • Encrypted backups
  • Multi-device sync
  • Biometric protection
  • Export/import functionality

Recommended:

  • Authy - Cloud sync, multi-device
  • 1Password - Integrated with password manager
  • Google Authenticator - Simple, no account required

Account Protection

Complete security checklist:

  1. ✓ Strong, unique password
  2. ✓ 2FA enabled
  3. ✓ Recovery codes stored securely
  4. ✓ Email notifications for sign-ins enabled
  5. ✓ Regular password updates

Frequently Asked Questions

What if I enter the wrong code?

You have multiple attempts before temporary lockout. Wait a moment and try the current code (codes change every 30 seconds).

Can I use SMS-based 2FA?

GitScrum uses TOTP (Time-based One-Time Password) via authenticator apps only. SMS is not supported due to security vulnerabilities.

Do I need 2FA for API access?

API tokens are separate from 2FA. Once you generate an API token, it works without 2FA verification. Protect API tokens as you would passwords.

Can workspace admins see my 2FA status?

Admins can see whether 2FA is enabled for workspace members but cannot access your codes, recovery codes, or disable your 2FA.

What happens to 2FA if I'm removed from workspace?

2FA is account-level, not workspace-level. It remains active regardless of workspace membership changes.

Troubleshooting

Code Not Working

  1. Check time: Device clock must be accurate
  2. Wait for new code: Don't use expiring codes
  3. Verify account: Ensure scanning correct QR
  4. Try recovery code: Use backup if needed

QR Code Won't Scan

  1. Increase brightness: Ensure screen is visible
  2. Clean camera: Remove obstructions
  3. Use manual entry: Click "Can't scan?" option
  4. Try different app: Some apps have better scanning

Locked Out

  1. Use recovery code if available
  2. Contact support if no recovery codes
  3. Verify identity through support process
  4. Regain access after verification

Related Pages

← Previous Next →