MFA (multi-factor auth)

Multi-factor authentication adds a second factor to LakeSail sign-in: a 6-digit time-based code from an authenticator app (TOTP). This page covers enrollment, admin reset, and recovery.

When MFA is required

MFA is required when the organization's policy says it is.

For users in such an org, MFA enrollment is part of the signup flow:

• After creating the account and verifying email, the signup wizard surfaces a 2FA setup step.
• The user scans a QR code with an authenticator app (Google Authenticator, 1Password, Authy, Bitwarden, etc.) and enters a 6-digit code to confirm enrollment.
• They can then sign in.

If MFA is optional in the org, members can enable it themselves from Account settings → Security.

Enroll in MFA (self-service)

1. Open Account settings → Security.
2. Click Set up 2FA.
3. Scan the QR code with your authenticator app.
4. Enter the current 6-digit code from the app to confirm.
5. Save the recovery codes that LakeSail shows you.

Save your recovery codes

Recovery codes are the only way to sign in if you lose your authenticator device. Save them somewhere outside the device — a password manager, a printed copy, etc. LakeSail can't show them to you again.

Sign in with MFA

1. Enter your email and password as usual.
2. When prompted, open your authenticator app and enter the current 6-digit code.
3. Continue into LakeSail.

The code rotates every 30 seconds. If your code is rejected, your device clock may be drifting — most authenticator apps have a "sync time" option.

Lost device: use a recovery code

If you've lost the device with your authenticator:

1. On the MFA prompt screen, click Use a recovery code.
2. Enter one of the recovery codes you saved at enrollment.
3. Sign in.

Each recovery code works once. After signing in, immediately re-enroll on a new device — open Account settings → Security, click Reset 2FA, and follow the enroll steps again. Generating new recovery codes invalidates the old ones.

Reset your own MFA

From Account settings → Security → Reset 2FA. The current TOTP secret is discarded; you re-enroll from scratch and get fresh recovery codes.

Admin reset

When a member loses their device and has no recovery codes left, an admin can reset their MFA on their behalf:

1. Open Settings → Members and click the member.
2. Click Reset MFA (or Reset 2FA).
3. Confirm.

After the reset, the member's existing TOTP secret is invalidated. They'll be prompted to re-enroll on their next sign-in.

This action is auditable — the actor and timestamp are recorded — so it's appropriate for support workflows but not something to do casually.

Verify identity first

Before performing an admin MFA reset, verify the requester is who they claim to be through a channel outside of LakeSail (a Slack DM, a phone call, your help-desk ticket system). Resetting MFA after a phishing-style request is exactly how account takeover happens.

Disable MFA

If your org's policy permits, members can disable MFA from Account settings → Security. If MFA is org-required, the disable option won't be available — you'll have to leave the org or change the policy.

API reference

• MFA — ResetMyMfa (self-service), AdminResetMfa (admin reset).