Set up two-factor authentication (2FA)

ClientFlow supports two factors for account protection: TOTP via any authenticator app, and email-OTP as a fallback for users without their password manager.

Enable TOTP

1. Go to Settings → Security → Two-Factor Authentication.
2. Click Enable 2FA. We'll show a QR code.
3. Open your authenticator app (Authy, 1Password, Google Authenticator, etc.) and scan the QR code. The app will start generating six-digit codes that rotate every 30 seconds.
4. Enter the current code to confirm setup.
5. Save your backup codes. These are 10 single-use codes that let you sign in if you lose access to your authenticator. Print them or store them in a password manager - we don't keep a recoverable copy.

After enablement, sign-in flow becomes: email + password → 6-digit code.

Email-OTP fallback

If you've forgotten your password and don't want to wait for a reset email, use the email-OTP path:

1. From the sign-in page, click "Email me a sign-in code".
2. Enter your email address.
3. Check your inbox for a 6-digit code (expires in 10 minutes).
4. Enter the code.

Email-OTP works whether or not you have 2FA enabled. With 2FA enabled, you'll still need to enter your TOTP code after the email-OTP step.

Regenerating backup codes

If you've used up your backup codes or lost them, regenerate from Settings → Security → Backup Codes. The old codes invalidate immediately.

Recommended for organization owners

If you're an owner or admin, enable 2FA. Account compromise of an owner account would let an attacker delete the entire workspace.