Multi-Factor Authentication (MFA)
This section contains essential information and usage guidelines for setting up and managing Multi-Factor Authentication inside your account.
What is Multi-Factor Authentication?
Multi-Factor Authentication (MFA) is a security feature that requires you to verify your identity using a second method every time you log in. In addition to your password, you must provide a one-time verification code β either sent to your registered email or generated by an authenticator app. This ensures that even if your password is compromised, your account remains protected.
When should you use this?
Use this feature when:
You want to add an extra layer of security to your account beyond just a password
You need to protect sensitive bot configurations, customer data, and team access
You are trying to meet security or compliance requirements for your organization
Benefits of Multi-Factor Authentication
π Adds a strong second layer of protection to your account
π‘οΈ Prevents unauthorized access even if your password is leaked
π± Supports both email and authenticator app methods for flexibility
π Works seamlessly with Google and Facebook login (OAuth) flows
ποΈ Includes recovery codes for emergency account access
Expected Outcome
After setting this up:
Every login will require a verification code in addition to your password
Unauthorized users will be blocked even if they know your password
You will have recovery codes available as a backup login method
Tip: Download your recovery codes immediately after setup β they are only shown once.
How to Set Up MFA
Accessing the MFA Settings
Go to "More" from the left sidebar and click on "My Account".
Navigate to the "Security" tab
Locate the "Multi-Factor Authentication" dropdown and click to expand it.
Click "Setup" or "Select MFA Method" to begin the setup process.
There are two authentication methods available:
Email
Authenticator Application
Method A: Email Verification
In the "Choose Authentication Method" popup, select the "Email" card and click "Continue".
A verification code will be sent to the email address linked to your account. Open your inbox and retrieve the code.
Enter the code in the verification field on screen and click "Verify".
Once verified, email MFA is active. You will receive a login code on your registered email every time you sign in.
Method B: Authenticator App
In the "Choose Authentication Method" popup, select the "Authenticator App" card and click "Continue".
On the next screen, set up the authenticator app using one of two methods:
Scan the QR code shown on screen using Authenticator App.
Copy the secret key shown and manually enter it into your authenticator app
Recommended apps: Google Authenticator or Microsoft Authenticator
Once the app shows a 6-digit code, enter it in the "Verification Code" field on screen and click "Verify".
Once verified, authenticator app MFA is active.
Saving Recovery Codes
After setup is complete, a set of recovery codes will be displayed on screen. Click "Download" to save them immediately.
Critical: Recovery codes are shown only once. Once you leave this page, they cannot be retrieved again. Store them somewhere safe.
Logging In with MFA Enabled
Once MFA is set up, the login flow changes as follows:
Enter your email and password (or log in via Google/Facebook OAuth) as usual.
You will be prompted to verify your identity. If both email and authenticator app methods are active, you can choose either. If only one is set up, that method is shown automatically.
Enter the verification code from your chosen method and click "Verify".
If the code is correct, you are logged in successfully.
You have 3 attempts to enter the correct verification code. After 3 failed attempts, your account will be temporarily locked. Wait for the cooldown period to expire before trying again.
Logging In with a Recovery Code
If you cannot access your email or authenticator app, you can use a recovery code to log in.
On the verification screen, select the option to use a recovery code
Enter one of your saved recovery codes and click "Verify"
Each recovery code can only be used once. Once used, it is permanently invalidated.
Best Practices
π Download and store your recovery codes in a secure location (password manager, encrypted file) immediately after setup
π± Use Google Authenticator or Microsoft Authenticator for app-based MFA β avoid lesser-known apps
β±οΈ If your authenticator app code is not working, ensure your device's clock/time is correctly synced
π― Set up MFA before sharing account access with team members to enforce account-wide security
Troubleshooting
I did not receive the email verification code
Solution:
Check your spam/junk folder.
If the email is still missing, verify that the email address associated with your account is correct.
Wait a few minutes and request a new verification code.
My authenticator app code is being rejected
Solution:
Ensure your device's date, time, and timezone settings are correct and set to automatic.
Authenticator apps generate time-based codes, and even a small clock mismatch can cause codes to be rejected.
I lost my recovery codes and cannot access my authenticator app or email
Solution: Contact support@botpenguin.com and provide the necessary account verification details to begin the account recovery process.
My account got locked after 3 failed attempts
Solution:
Wait for the account cooldown period to expire.
Once the cooldown period ends, log in again using the correct verification code.
Avoid making additional login attempts during the cooldown period.
I set up both email and authenticator app MFA but only see one option at login
Solution:
Navigate to My Account β Security.
Verify that both MFA methods have been successfully configured, verified, and enabled.
If only one method is active, complete the setup process for the other method.
FAQs
Can I set up both email and authenticator app MFA at the same time?
Yes. You can set up both methods. During login, you will be able to choose which MFA method to use for that session.
What happens if I lose access to my authenticator app?
You can use one of your saved recovery codes to log in. After regaining access, navigate to My Account β Security to reconfigure your MFA method.
If you have also lost your recovery codes, please contact support for assistance.
Can I disable MFA after it has been set up?
Yes. Go to My Account β Security β Multi-Factor Authentication and use the available options to disable or change your MFA method.
How many recovery codes are provided?
A set of recovery codes is generated during MFA setup. The exact number is displayed on the recovery codes screen.
Each recovery code can only be used once.
Does MFA apply when logging in via Google or Facebook?
Yes. If MFA is enabled on your account, you will be required to complete MFA verification even when signing in through Google or Facebook (OAuth).
What is the cooldown period after 3 failed MFA attempts?
The account is temporarily locked after three consecutive incorrect MFA code entries.
The lockout duration is system-defined. Please wait for the cooldown period to expire before attempting to log in again.
Will I need to verify MFA on every login?
Yes. MFA verification is required for every new login session once MFA has been enabled on your account.
Can I use any authenticator app, or only Google/Microsoft Authenticator?
Any TOTP-compatible authenticator application can be used.
However, Google Authenticator and Microsoft Authenticator are recommended for reliability, compatibility, and ease of use.
Related Articles
Managing My AccountPasswordSupport
If you still have questions for our team, write to us at support@botpenguin.com. We'll get back to you within 48 hours.
π Congratulations, you have successfully completed this section! Your account is now secured with Multi-Factor Authentication.
Last updated
Was this helpful?