Skip to main content

MFA Setup

Multi-factor authentication (MFA) adds a second layer of protection to your OSCAL Hub account. After enabling it, signing in requires both your password and a one-time code generated by an authenticator app on your phone or device. Even if someone obtains your password, they cannot access your account without the second factor.

OSCAL Hub uses TOTP (Time-based One-Time Password), which is compatible with all major authenticator apps:

Enabling MFA

  1. Open MFA Setup

    Navigate to /mfa-setup directly, or follow the link from your Profile page. If you are already authenticated, the setup screen loads immediately. If you were prompted to set up MFA during sign-in, the page also works when accessed via the login flow.

  2. Scan the QR code

    Open your authenticator app and use its Add account or Scan QR code option. Point your camera at the QR code displayed on the setup page. The app will create a new OSCAL Hub entry and begin generating 6-digit codes.

    If you cannot scan the QR code (for example, on a device without a camera), click Show manual entry key to reveal the text secret. Enter the secret manually into your authenticator app.

  3. Enter the 6-digit code

    Type the 6-digit code currently shown in your authenticator app into the six individual input boxes on the setup page. Codes rotate every 30 seconds — if the code expires before you submit, simply enter the new code.

  4. Save your backup codes

    After the code is accepted, OSCAL Hub displays a set of backup codes. These are single-use recovery codes that can bypass MFA if you lose access to your authenticator app.

    Save them now — copy them into a password manager, print them out, or store them somewhere secure offline. They will not be shown again.

  5. Click Enable

    Click the Enable MFA (or Confirm) button to finalize the setup. MFA is now active on your account.

Your backup codes are the only way to regain access to your account if you lose your authenticator app and cannot generate a TOTP code. Store them in a password manager or secure offline location immediately after setup. If you lose them, an administrator must manually disable MFA on your account.

Using MFA when signing in

Once MFA is enabled, the sign-in flow adds an extra step:

  1. Enter your username and password as usual and click Sign in.
  2. You are redirected to the MFA verification screen (/mfa-verify).
  3. Open your authenticator app, find the OSCAL Hub entry, and enter the current 6-digit code.
  4. Click Verify. You are now signed in.

Lost your phone? On the verification screen, click Use backup code. Enter one of the backup codes you saved during setup. Each backup code is valid for one use only — once used, it cannot be reused.

Disabling MFA

If you want to turn MFA off:

  1. Navigate to your Profile page.
  2. Find the MFA section and click Disable MFA (or a similar button).
  3. You will be asked to confirm your identity with your current password.
  4. Confirm the action. MFA is removed from your account immediately.

If you have lost both your authenticator app and all of your backup codes, you cannot disable MFA yourself. Contact your Org Admin or a Super Admin and ask them to disable MFA on your account from the admin dashboard.

Tips and limits

  • Time sync: TOTP codes depend on accurate time. If your phone's clock is out of sync, codes will be rejected. Ensure your device uses automatic time synchronization.
  • Multiple devices: Most authenticator apps (Authy, 1Password) support syncing across devices. Set this up when you first enroll so you always have a backup device.
  • New phone: If you get a new phone, re-enroll your authenticator before discarding the old device, or use a backup code to sign in and then set up MFA again.
  • Org enforcement: If your organization administrator has enabled mandatory MFA, you will be required to complete this setup the next time you sign in. You cannot skip it.

Related