Two-Factor Authentication (2FA)

Protect your MFTPlus account with two-factor authentication (2FA) using Time-based One-Time Passwords (TOTP). 2FA adds an extra layer of security by requiring both your password and a code from your authenticator app when signing in.

What is 2FA/TOTP?

Two-factor authentication (2FA) requires two forms of identification to access your account:

1. Something you know — your password
2. Something you have — your authenticator app generating time-based codes

TOTP (Time-based One-Time Password) is a standard 2FA method that generates a new code every 30 seconds. Codes are generated by an authenticator app on your device, making them resistant to phishing and replay attacks.

Why Enable 2FA?

• Protect sensitive transfers — Your MFTPlus account controls access to file transfers and audit logs
• Prevent unauthorized access — Even if your password is compromised, attackers cannot access your account without your device
• Compliance requirements — Many security standards (SOC2, HIPAA, PCI-DSS) recommend or require 2FA
• Audit trail integrity — Ensures that actions in your audit logs can only be performed by authenticated users

Supported Authenticator Apps

MFTPlus works with any TOTP-compatible authenticator app:

App	Platform	Notes
Google Authenticator	iOS, Android	Free, popular choice
Microsoft Authenticator	iOS, Android	Free, includes cloud backup
Authy	iOS, Android, Desktop	Free, multi-device sync
1Password	iOS, Android, Desktop	Password manager with built-in TOTP
Bitwarden	iOS, Android, Desktop	Password manager with built-in TOTP
YubiKey Authenticator	iOS, Android, Desktop	Hardware key integration

Recommendation

If you already use a password manager that supports TOTP (like 1Password or Bitwarden), using it for 2FA keeps everything in one place. Otherwise, Google Authenticator or Microsoft Authenticator are excellent free choices.

Enabling 2FA

Step 1: Access Security Settings

1. Sign in to your MFTPlus dashboard
2. Click your profile icon/username in the top-right corner
3. Select Settings from the dropdown menu
4. Navigate to the Security tab

Step 2: Install an Authenticator App

If you haven't already, install a TOTP-compatible authenticator app on your mobile device from your app store.

Step 3: Scan the QR Code

1. In the Security settings, click Enable 2FA or Set up two-factor authentication
2. A QR code will be displayed
3. Open your authenticator app and add a new account
4. Select Scan QR code (or Enter provided key if scanning is not available)
5. Point your camera at the QR code on your screen

Manual Entry

If you cannot scan the QR code, look for a "Can't scan?" or "Manual entry" option. You'll be asked to enter:

• Account name — MFTPlus or your email
• Secret key — A long string of characters displayed on screen

Step 4: Verify and Save

1. Your authenticator app will now display a 6-digit code that changes every 30 seconds
2. Enter this code in the Verification code field in MFTPlus
3. Click Verify or Enable

Step 5: Save Your Backup Codes

After enabling 2FA, 10 backup codes will be displayed. These are one-use recovery codes that allow you to access your account if you lose your authenticator app.

Important:

• Save these codes immediately — They won't be shown again
• Store them securely — Keep them in a safe place (password manager, safe, or secure note)
• Don't share them — Each code can only be used once

Critical

Backup codes are your ONLY way to recover access if you lose your authenticator app. Save them now before closing the window.

Signing In with 2FA

After enabling 2FA, the sign-in process changes slightly:

1. Enter your username and password as usual
2. On the next screen, enter the 6-digit code from your authenticator app
3. Click Verify or Sign In

The code changes every 30 seconds. If a code expires before you enter it, wait for your authenticator to generate a new one.

Stay Signed In

MFTPlus remembers your device for 30 days, so you won't need to enter a 2FA code every time you sign in from a trusted device.

Using Backup Codes

Use a backup code when:

• You lose your authenticator app
• You get a new phone and haven't transferred your authenticator
• Your authenticator app isn't working

1. On the 2FA verification screen, click Lost your device? or Enter a backup code
2. Enter one of your 10 backup codes
3. Sign in and immediately reconfigure 2FA in Settings → Security

Code Usage

Each backup code can only be used once. After using a code, consider it invalid and cross it off your saved list.

Managing 2FA Settings

Regenerating Backup Codes

If you've used most of your backup codes or suspect they've been compromised:

1. Go to Settings → Security
2. Find the 2FA section
3. Click Regenerate backup codes
4. Save the new codes — The old ones become invalid immediately

Disabling 2FA

We strongly recommend keeping 2FA enabled. If you must disable it:

1. Go to Settings → Security
2. Click Disable 2FA
3. You'll be prompted to enter a 2FA code to confirm
4. Confirm the action

Security Risk

Disabling 2FA reduces your account security. Only disable if absolutely necessary, and re-enable it as soon as possible.

Switching Authenticator Apps

If you want to use a different authenticator app:

1. Go to Settings → Security
2. Click Change authenticator or Reset 2FA
3. This will disable your current 2FA setup
4. Follow the enabling 2FA steps again with your new app

Troubleshooting

Code Says "Invalid"

• Check the time — Your device's clock must be accurate. TOTP codes are time-sensitive. Enable automatic time sync on your device.
• Wait for a new code — The code may have expired (30-second window). Wait for your authenticator to generate a fresh one.
• Check for typos — Ensure you're entering all 6 digits correctly

Can't Scan QR Code

• Use manual entry — Look for an option to manually enter the secret key instead of scanning
• Check screen brightness — QR codes can be hard to scan on very bright or dim screens
• Try a different app — Some authenticator apps scan QR codes better than others

Lost Authenticator and No Backup Codes

If you've lost access to your authenticator app and don't have backup codes:

1. Contact your administrator — If you're part of an organization, your admin can reset your 2FA
2. Contact MFTPlus support — support@mftplus.co.za — You'll need to verify your identity through alternative means

Prevention

To avoid this situation, always save backup codes when enabling 2FA, and consider using a password manager that syncs across devices for your authenticator.

Codes Not Syncing Across Devices

Most authenticator apps do NOT sync codes by default:

• Google Authenticator — No sync, must manually transfer
• Microsoft Authenticator — Cloud backup available (requires Microsoft account)
• Authy — Multi-device sync built-in
• 1Password/Bitwarden — Syncs through your password manager vault

If you switch devices frequently, consider using Authy, 1Password, or Bitwarden for easier recovery.

Security Best Practices

DO

• Enable 2FA on all accounts — Not just MFTPlus, but email, banking, and other services
• Save backup codes securely — Store them in a password manager or secure location
• Use a password manager with TOTP — Keeps passwords and codes together securely
• Keep your device updated — Security patches protect your authenticator app
• Enable device encryption — If your phone is lost or stolen, encryption protects your data

DON'T

• Share your codes — Never give your 2FA code to anyone, even if they claim to be support
• Reuse codes — Each code expires after 30 seconds and cannot be used again
• Store backup codes in plain text — Keep them encrypted or physically secure
• Disable 2FA "temporarily" — It's easy to forget to re-enable it
• Use SMS 2FA if possible — TOTP apps are more secure than SMS-based 2FA

Organizational 2FA Policies

If you're an administrator managing an MFTPlus deployment:

Requiring 2FA for All Users

1. Go to Admin → Organization Settings
2. Find the Security Policies section
3. Enable Require 2FA for all users
4. Existing users will be prompted to enable 2FA on their next sign-in
5. New users must enable 2FA during account creation

Exempting Service Accounts

Service accounts and API keys may be exempt from 2FA requirements:

1. Go to Admin → Service Accounts
2. Create a service account with API key authentication
3. Service accounts use API keys instead of username/password + 2FA

Auditing 2FA Status

View which users have 2FA enabled:

1. Go to Admin → Users
2. The 2FA Status column shows:
   • Enabled — User has 2FA active
   • Disabled — User does not have 2FA
3. Export the user list for compliance reporting

Next Steps

• Installation - Installing MFTPlus agents
• Configuration - Configuring MFTPlus behavior
• Security Best Practices - Production security guidelines

Need Help?

• Documentation: docs.mftplus.co.za
• Support: support@mftplus.co.za