Skip to main content

MFA and Passkeys

Keeptrusts supports an authenticator app using time-based one-time passwords (TOTP) or a passkey as the account's current MFA method. Setup also produces one-time backup codes for recovery.

An account currently has one configured MFA method. To switch between TOTP and a passkey, disable the current method from Profile settings, then enroll the new one.

Choose a method

MethodGood fitRequirements
Authenticator appBroad device compatibility and offline one-time codesA TOTP-compatible app and correct device time
PasskeyPhishing-resistant device or hardware-key verificationBrowser/platform WebAuthn support and an available registered authenticator
Backup codeRecovery when the primary method is unavailableOne unused code stored securely

Backup codes are recovery credentials, not the normal login method.

Enroll an authenticator app

  1. Open Settings → Profile, find Two-factor authentication, and select Set up beside Authenticator app.
  2. Scan the QR code with the intended authenticator app.
  3. Enter the generated six-digit code to verify setup.
  4. Copy the backup codes before leaving the setup page.
  5. Store the codes outside the device that holds the authenticator.
  6. Sign out and complete a fresh login test.

Do not screenshot or paste the QR secret into shared systems.

If codes fail, verify the device's automatic time synchronization before restarting enrollment.

Enroll a passkey

  1. Use a browser and device that support passkeys.
  2. Open Settings → Profile, find Two-factor authentication, and select Set up beside Passkey.
  3. Complete the browser prompt with the intended device-backed credential or hardware security key.
  4. Save the displayed backup codes.
  5. Sign out and test passkey login.
  6. Test a backup code through the MFA challenge path.

The passkey can be used on the registered device or a nearby supported security key where the browser allows it. If the browser cannot complete passkey verification, use a stored backup code.

Save backup codes safely

Backup codes are one-time secrets:

  • store them in an approved password manager or protected offline location;
  • keep them separate from the primary authenticator;
  • do not put them in tickets, source control, or chat;
  • mark a used code as consumed; and
  • replace the MFA setup through the supported workflow when recovery material is exposed or exhausted.

Leaving the setup page without preserving the codes can make recovery harder.

Organization MFA policy

Open Settings → Organization and use MFA Policy to set the minimum enrollment requirement for administrators and members.

Before tightening the policy:

  1. Review the Members directory for current enrollment.
  2. Contact unenrolled owners and administrators first.
  3. Confirm help-desk identity verification and recovery ownership.
  4. Test both TOTP and passkey flows on representative supported devices.
  5. Save the policy during a monitored window.
  6. Verify login with an affected non-owner.
  7. Review Trail.

An enrollment requirement does not replace SSO assurance, role design, session review, or recovery controls.

Disable or switch MFA

Profile settings can disable the current MFA method. While disabled, the account relies on its remaining login controls until a new method is enrolled.

Use a monitored switch:

  1. Confirm an authenticated session and backup recovery path.
  2. Disable the existing method.
  3. Immediately enroll and verify the replacement.
  4. Save new backup codes.
  5. Complete a fresh sign-in.

Do not leave a privileged account without MFA longer than the supported switch requires.

Lost device or failed challenge

  1. Use one unused backup code.
  2. From the authenticated session, replace the MFA method.
  3. If no backup code is available, follow the organization's approved identity recovery process.
  4. Review active sessions, tokens, OAuth clients, and recent Trail events.
  5. Rotate other credentials when compromise is possible.

Support personnel should not ask a user to reveal an authenticator code, passkey private material, QR seed, or backup code in a ticket.

Next steps