Skip to content

Multi-factor authentication

TOTP (Time-based One-Time Password) using any standard authenticator app — Authy, 1Password, Google Authenticator, Microsoft Authenticator, Bitwarden, etc.

CredWatch holds findings about your secrets. Turn this on.

Set up

  1. Go to Profile → Multi-factor authentication → Enable.
  2. Scan the QR code with your authenticator app, or paste the displayed setup secret manually.
  3. Enter the 6-digit code your app is currently showing.
  4. Click Verify and enable.

After verification you'll see 8 recovery codes — one-time codes in XXXXXXXX-XXXXXXXX format. Save them now. Print, paste into a password manager, or store in a sealed envelope — anywhere safe and offline. Each code works exactly once.

Logging in with MFA

After entering your password, you'll be prompted for the 6-digit code:

  • Open your authenticator app.
  • Enter the current code for "CredWatch".
  • The challenge expires after 5 minutes — if you miss the window, log in again.

The portal validates a ±30-second window so a slightly slow phone clock still works.

Lost your phone — recovery codes

On the MFA challenge page, click Use recovery code instead. Paste one of your saved codes. It's consumed immediately — that specific code will never work again.

Generate a fresh batch of codes from Profile → MFA → Regenerate codes (requires a current TOTP code).

Lost both your phone and recovery codes

Email [email protected] from the email address on file. We'll verify ownership and reset MFA on your account. Plan for some back-and-forth — this is intentionally not a one-click reset.

Enforcing MFA org-wide Growth+

Account admins can require MFA for every member of the account:

  1. Go to Profile → MFA enforcement.
  2. Toggle Require MFA for all users in this account.
  3. Click Save.

Once enforcement is on, anyone in your account who hasn't set up MFA will be forced into the MFA setup flow on their next login — no skip button. They cannot access the dashboard, findings, or anything else until MFA is enabled.

To disable enforcement later, untoggle and save. Members already with MFA enabled keep it; new members aren't forced into the flow.

Disable MFA for your own account

  1. Profile → MFA → Disable.
  2. Enter your current 6-digit code to confirm it's you.
  3. Click Disable.

This deletes the TOTP secret and recovery codes from our database. Account-level enforcement (if on) will force you back into the setup flow on next login.

Behind the scenes

  • TOTP secret is stored Fernet-encrypted in our database. Decrypted only at verification time.
  • Recovery codes are also encrypted at rest; each is hashed individually for one-time use.
  • All MFA events (mfa_enabled, mfa_disabled, mfa_failed, mfa_challenge_sent) are written to your account's audit log (visible to admins under Team → Audit log).

Related: Team management for inviting teammates, API keys for programmatic access (API keys are independent of user MFA).