# Multi-Factor Authentication (MFA)

### What is Multi-Factor Authentication?

Multi-Factor Authentication (MFA) is a security feature that requires you to verify your identity using a second method every time you log in. In addition to your password, you must provide a one-time verification code — either sent to your registered email or generated by an authenticator app. This ensures that even if your password is compromised, your account remains protected.

***

### When should you use this?

Use this feature when:

* You want to add an extra layer of security to your account beyond just a password
* You need to protect sensitive bot configurations, customer data, and team access
* You are trying to meet security or compliance requirements for your organization

***

### Benefits of Multi-Factor Authentication

* 🔐 Adds a strong second layer of protection to your account
* 🛡️ Prevents unauthorized access even if your password is leaked
* 📱 Supports both email and authenticator app methods for flexibility
* 🔄 Works seamlessly with Google and Facebook login (OAuth) flows
* 🗝️ Includes recovery codes for emergency account access

***

### Expected Outcome

After setting this up:

* Every login will require a verification code in addition to your password
* Unauthorized users will be blocked even if they know your password
* You will have recovery codes available as a backup login method

{% hint style="info" icon="lightbulb" %}
Tip: Download your recovery codes immediately after setup — they are only shown once.
{% endhint %}

***

### How to Set Up MFA

#### Accessing the MFA Settings

1. Go to "More" from the left sidebar and click on "My Account".
2. Navigate to the "Security" tab 

<figure><img src="/files/2D2LV2jtJmVNy79hDcNO" alt=""><figcaption></figcaption></figure>

3. Locate the "Multi-Factor Authentication" dropdown and click to expand it.
4. Click "Setup" or "Select MFA Method" to begin the setup process.

<figure><img src="/files/fgLAOIBvZFCQMB6KJCaM" alt=""><figcaption></figcaption></figure>

5. There are two authentication methods available:
   1. Email
   2. Authenticator Application

#### Method A: Email Verification

6. In the "Choose Authentication Method" popup, select the "Email" card and click "Continue".

<figure><img src="/files/TmOGDh54n0i8YwbaxKTj" alt=""><figcaption></figcaption></figure>

7. A verification code will be sent to the email address linked to your account. Open your inbox and retrieve the code.
8. Enter the code in the verification field on screen and click **"Verify"**.

<figure><img src="/files/XcjGUgt4XxHTRPawZYow" alt=""><figcaption></figcaption></figure>

{% hint style="info" icon="square-check" %}
Once verified, email MFA is active. You will receive a login code on your registered email every time you sign in.
{% endhint %}

***

#### Method B: Authenticator App

9. In the "Choose Authentication Method" popup, select the "Authenticator App" card and click "Continue".

<figure><img src="/files/lQwBsWFD3WLsM5XQJYeQ" alt=""><figcaption></figcaption></figure>

10. On the next screen, set up the authenticator app using one of two methods:
    1. Scan the QR code shown on screen using Authenticator App.
    2. Copy the secret key shown and manually enter it into your authenticator app

{% hint style="info" %}
Recommended apps: Google Authenticator or Microsoft Authenticator
{% endhint %}

<figure><img src="/files/cA0JiGv14OCMY6OGpwUv" alt=""><figcaption></figcaption></figure>

11. Once the app shows a 6-digit code, enter it in the "Verification Code" field on screen and click "Verify".

<figure><img src="/files/3AzamM5OhBVK0H4ARnNf" alt=""><figcaption></figcaption></figure>

{% hint style="info" icon="square-check" %}
Once verified, authenticator app MFA is active.
{% endhint %}

***

#### Saving Recovery Codes

12. After setup is complete, a set of recovery codes will be displayed on screen. Click **"Download"** to save them immediately.

<figure><img src="/files/wX7wDZFQDscgq56hf2pi" alt=""><figcaption></figcaption></figure>

{% hint style="warning" %}
**Critical:** Recovery codes are shown only once. Once you leave this page, they cannot be retrieved again. Store them somewhere safe.
{% endhint %}

***

### Logging In with MFA Enabled

Once MFA is set up, the login flow changes as follows:

1. Enter your email and password (or log in via Google/Facebook OAuth) as usual.
2. You will be prompted to verify your identity. If both email and authenticator app methods are active, you can choose either. If only one is set up, that method is shown automatically.
3. Enter the verification code from your chosen method and click **"Verify"**.
4. If the code is correct, you are logged in successfully.

{% hint style="warning" %}
You have **3 attempts** to enter the correct verification code. After 3 failed attempts, your account will be temporarily locked. Wait for the cooldown period to expire before trying again.
{% endhint %}

***

#### Logging In with a Recovery Code

If you cannot access your email or authenticator app, you can use a recovery code to log in.

* On the verification screen, select the option to use a recovery code
* Enter one of your saved recovery codes and click **"Verify"**

{% hint style="warning" %}
Each recovery code can only be used **once**. Once used, it is permanently invalidated.
{% endhint %}

***

### Best Practices

> 🔐 Download and store your recovery codes in a secure location (password manager, encrypted file) immediately after setup

> 📱 Use Google Authenticator or Microsoft Authenticator for app-based MFA — avoid lesser-known apps

> ⏱️ If your authenticator app code is not working, ensure your device's clock/time is correctly synced

> 🎯 Set up MFA before sharing account access with team members to enforce account-wide security

***

### Troubleshooting

<details>

<summary><strong>I did not receive the email verification code</strong></summary>

**Solution:**

* Check your spam/junk folder.
* If the email is still missing, verify that the email address associated with your account is correct.
* Wait a few minutes and request a new verification code.

</details>

<details>

<summary><strong>My authenticator app code is being rejected</strong></summary>

**Solution:**

* Ensure your device's date, time, and timezone settings are correct and set to automatic.
* Authenticator apps generate time-based codes, and even a small clock mismatch can cause codes to be rejected.

</details>

<details>

<summary><strong>I lost my recovery codes and cannot access my authenticator app or email</strong></summary>

**Solution:**\
Contact **<support@botpenguin.com>** and provide the necessary account verification details to begin the account recovery process.

</details>

<details>

<summary><strong>My account got locked after 3 failed attempts</strong></summary>

**Solution:**

* Wait for the account cooldown period to expire.
* Once the cooldown period ends, log in again using the correct verification code.
* Avoid making additional login attempts during the cooldown period.

</details>

<details>

<summary><strong>I set up both email and authenticator app MFA but only see one option at login</strong></summary>

**Solution:**

* Navigate to **My Account → Security**.
* Verify that both MFA methods have been successfully configured, verified, and enabled.
* If only one method is active, complete the setup process for the other method.

</details>

***

### FAQs

<details>

<summary><strong>Can I set up both email and authenticator app MFA at the same time?</strong></summary>

Yes. You can set up both methods. During login, you will be able to choose which MFA method to use for that session.

</details>

<details>

<summary><strong>What happens if I lose access to my authenticator app?</strong></summary>

You can use one of your saved recovery codes to log in. After regaining access, navigate to **My Account → Security** to reconfigure your MFA method.

If you have also lost your recovery codes, please contact support for assistance.

</details>

<details>

<summary><strong>Can I disable MFA after it has been set up?</strong></summary>

Yes. Go to **My Account → Security → Multi-Factor Authentication** and use the available options to disable or change your MFA method.

</details>

<details>

<summary><strong>How many recovery codes are provided?</strong></summary>

A set of recovery codes is generated during MFA setup. The exact number is displayed on the recovery codes screen.

Each recovery code can only be used once.

</details>

<details>

<summary><strong>Does MFA apply when logging in via Google or Facebook?</strong></summary>

Yes. If MFA is enabled on your account, you will be required to complete MFA verification even when signing in through Google or Facebook (OAuth).

</details>

<details>

<summary><strong>What is the cooldown period after 3 failed MFA attempts?</strong></summary>

The account is temporarily locked after three consecutive incorrect MFA code entries.

The lockout duration is system-defined. Please wait for the cooldown period to expire before attempting to log in again.

</details>

<details>

<summary><strong>Will I need to verify MFA on every login?</strong></summary>

Yes. MFA verification is required for every new login session once MFA has been enabled on your account.

</details>

<details>

<summary><strong>Can I use any authenticator app, or only Google/Microsoft Authenticator?</strong></summary>

Any TOTP-compatible authenticator application can be used.

However, **Google Authenticator** and **Microsoft Authenticator** are recommended for reliability, compatibility, and ease of use.

</details>

***

### Related Articles

{% content-ref url="/pages/JawGb9VEM7eytyVsBWoA" %}
[Managing My Account](/settings/managing-my-account.md)
{% endcontent-ref %}

{% content-ref url="/pages/2AP1l7k94jkGIaTZbpfG" %}
[Password](/settings/managing-my-account/password.md)
{% endcontent-ref %}

***

### Support

If you still have questions for our team, write to us at **<support@botpenguin.com>**. We'll get back to you within 48 hours.

***

🎉 **Congratulations, you have successfully completed this section!** Your account is now secured with Multi-Factor Authentication.


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://help.botpenguin.com/settings/managing-my-account/multi-factor-authentication-mfa.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.