Two-factor authentication — mandatory TOTP

Two-factor authentication is mandatory on Klaxel: every user sets up a time-based authenticator code (TOTP) before they can reach the dashboard, and every session must clear it. Enrollment issues a batch of single-use backup codes for when the phone isn't to hand, and Owners and Admins can reset a teammate's two-factor if they lose their device — after which that person simply sets it up again on their next sign-in.

There's no opt-out. The first time a user signs in without two-factor set up, Klaxel takes them to an enrollment step: scan a QR code with any standard authenticator app — Google Authenticator, 1Password, Authy, and the like — and confirm the first six-digit code. From then on, every sign-in is challenged for the current code. The verification tolerates a little clock drift between phone and server but never accepts a code twice, so a code that's already been used can't be replayed.

At enrollment you're shown a set of ten single-use backup codes. Each one gets you past the two-factor challenge exactly once — for the day your phone is dead or lost — and is then spent. Save them somewhere safe; they're shown once and only their hashes are stored, so Klaxel can't show them to you again. You can regenerate a fresh set at any time from Dashboard → Security, which replaces the old batch.

Set up your authenticator

  1. On first sign-in, Klaxel opens the two-factor setup step automatically — you can't skip it.
  2. Scan the QR code with your authenticator app (Google Authenticator, 1Password, Authy, or any TOTP app).
  3. Enter the six-digit code the app shows to confirm the pairing.
  4. Save the ten backup codes you're given — each works once, for when you don't have your phone.
  5. You're done. Every future sign-in asks for the current code from your app.
Note

Lost your device? An Owner or Admin can reset it. On Dashboard → Security, the Team two-factor list lets a privileged member reset any other member's two-factor; that person is then required to set it up fresh on their very next sign-in, which takes effect immediately. (The Owner's own factor isn't resettable from this list.)

Tip

Regenerate your backup codes if you've used some or think they've leaked. Dashboard → Security → regenerate issues a brand-new set of ten and invalidates the previous batch, so old codes stop working the moment you generate new ones.

Note

Single sign-on counts when it's strong. If you sign in with Microsoft or Google and the provider asserted a strong second factor, that satisfies Klaxel's two-factor for the session; if it didn't, Klaxel has you set up its own authenticator code. Either way, every session clears real two-factor.

Frequently asked questions

Is two-factor authentication optional?

No — it's mandatory for every user. You set up an authenticator (TOTP) code before you can reach the dashboard, and every sign-in is challenged for it. There's no way to turn it off for an account.

Which authenticator apps work?

Any standard time-based one-time-password (TOTP) app — Google Authenticator, 1Password, Authy, Microsoft Authenticator, and others. You scan the QR code shown at enrollment and confirm the first six-digit code to pair.

What are backup codes and how many do I get?

Ten single-use recovery codes, issued when you enroll, for signing in when you don't have your phone. Each works exactly once. They're shown only at generation (only hashes are stored), so save them — and you can regenerate a fresh set of ten from Dashboard → Security at any time, which invalidates the old ones.

A teammate lost their phone — how do we get them back in?

An Owner or Admin resets their two-factor from Dashboard → Security (the Team two-factor list). The reset takes effect immediately, and that person is prompted to set up a new authenticator on their next sign-in. The Owner's own factor can't be reset from that list.

If I use SSO, do I still need an authenticator code?

Only if your provider didn't already prove a strong second factor. A strong factor from Microsoft or Google satisfies Klaxel's two-factor for that session; a weak one (like a bare email code) doesn't, so Klaxel then has you set up its own authenticator. Every session ends up clearing genuine two-factor.

Put this to work across your whole client list.

Daily monitoring and alerts for every domain you manage — from $99/mo, 14-day free trial.

Two-factor authentication — mandatory TOTP — Klaxel