Skip to main content

How do I enabled Two-Factor Authentication (2FA)?

Written by Emilia Carvell
Updated over a week ago

What is Two-Factor Authentication (2FA)

Two-factor authentication (2FA) adds an extra layer of security to user accounts. When enabled, users need both their password and a one-time code from an authenticator app (such as Google Authenticator, Authy, or 1Password) to sign in.

2FA only applies to users who sign in with a username and password. Users who sign in via SSO are exempt, as their identity provider handles authentication security.

This article will cover

  1. Setting up 2FA for individual users

  2. Managing 2FA for individual users

  3. Enforcing 2FA for a whole company

  4. Resetting a user's 2FA (user managers)

  5. Frequently asked questions

Setting up 2FA (individual users)

Any user can enable 2FA for their own account:

1. Click on the icon in the op right of your screen (usually your Initials) and select "settings

2. Click into the security tab, and Follow the three-step setup process detailed in here

  1. Save recovery codes - A set of one-time-use backup codes is generated. Users must save these before continuing as they cannot be viewed again after setup is complete. These codes can be used to sign in if the user loses access to their authenticator app.

  2. Scan QR code - Scan the displayed QR code with an authenticator app to link the account.

  3. Enter verification code - Enter the six-digit code from the authenticator app to confirm setup.

Once configured, the user will be prompted for a code from their authenticator app each time they sign in with their password.

Managing 2FA (individual users)

Once 2FA is set up, users can manage it from Their security page showcased above (Icon in the top right of their screen > settings > Security)

Reset 2FA - Invalidates the current authenticator device and recovery codes. The user will need to go through the setup process again.

Generate new recovery codes - Creates a new set of recovery codes and invalidates any existing ones.

If the company enforces 2FA, individual users cannot disable it.

Enforcing 2FA for a whole company

We can now enforce 2FA for all password-based users in their company.

Please contact your Customer Success Manager if you wish to enforce 2FA for your company.

What happens when enforcement is turned on:

Any user who signs in with a username and password and has not yet set up 2FA will be redirected to the security settings page immediately after login.

They will not be able to access any other part of Pinpoint until they complete the 2FA setup.

Please be aware that-

  • Users who already have 2FA configured are unaffected

  • SSO users are completely exempt.

  • Users cannot disable 2FA while enforcement is active.

Resetting a user's 2FA (user managers)

If a user loses access to their authenticator app and their recovery codes, a user with the "Invite and manage users" permission can reset their 2FA:

1.User management, under company in the left hand navigation bar

2. Open the Security tab

3. Click Reset Two-Factor Authentication

4. Confirm the reset

This invalidates the user's current authenticator device and recovery codes, allowing them to sign in again. If enforcement is turned on for the company, the user will be required to set up 2FA again on their next login.

Recovery codes

  • Recovery codes are generated during 2FA setup.

  • Each code can only be used once.

  • They should be stored somewhere safe as a backup in case the user loses access to their authenticator app.

  • Recovery codes cannot be viewed again after the initial setup, but new ones can be generated from the security settings page (this invalidates any previous codes).

FAQ

Q: Does 2FA apply to SSO users?

A: No. SSO users are exempt from 2FA since their identity provider manages authentication security.

Q: What authenticator apps work with Pinpoint?

A: Any TOTP-compatible authenticator app will work, including Google Authenticator, Authy, Microsoft Authenticator, and 1Password.

Q: A user is locked out and can't use their authenticator or recovery codes. What do we do?

A: A user manager can reset their 2FA from the Security tab on the employee's profile in User Management. This lets them sign back in and set up 2FA again.

Q: Can a user disable 2FA if the company enforces it?

A: No. When enforcement is turned on, the option to disable 2FA is locked and users see a message explaining that 2FA is enforced by their company.

Q: What happens if we turn on enforcement and some users don't have 2FA yet?

A: Those users will be redirected to set up 2FA the next time they sign in. They won't be able to use Pinpoint until they complete the setup.

Related Articles
How to enable the Okta integration with Pinpoint
How do I set up the LinkedIn Integration?
How do I set up an onboarding experience for my users?
How do I set up Requisitions?
How can I enable Two-Factor Authentication on my Pinpoint account?
Did this answer your question?