Appearance
Multi-Factor Authentication
Multi-factor authentication (MFA) adds a second verification step on top of your password. The Console supports four MFA methods. You can enrol in more than one — the more methods you have, the easier it is to recover if you lose access to a device.
Manage MFA from the Multi-Factor Authentication section of your Account page.
Available methods
| Method | What it is | When to use |
|---|---|---|
| Authenticator App (TOTP) | A 6-digit code refreshed every 30 seconds, generated by an app such as Google Authenticator, Microsoft Authenticator, or 1Password. | Best balance of security and convenience. Works offline. Recommended default. |
| Email OTP | A one-time code emailed to you. | Fallback when you do not have a phone. |
| SMS OTP | A one-time code sent to your verified phone number. | Available if your organisation enables it; less secure than TOTP. |
| Passkey / Security Key | A WebAuthn credential bound to a device or hardware key. | Strongest option. Phishing-resistant. |
Your organisation chooses which of these are allowed. If a method is not listed in your Account page, your customer's admin has not enabled it.
Enrolling an Authenticator App (TOTP)
- Click Set up Authenticator App.
- A modal appears with a QR code and a manual secret string.
- Open your authenticator app and either scan the QR code or paste the secret.
- The app starts generating 6-digit codes.
- Enter the current code into the verification field and click Verify.
- The method is now active and shows in your enabled list.
Enabling Email OTP
- Click Enable Email OTP.
- A test code is sent to your verified email.
- Enter the code to confirm receipt.
- Email OTP is enabled.
Adding a Passkey
- Click Add Passkey.
- You will be sent an email with a setup link.
- Open the link on the device or hardware key you want to enrol.
- Follow the system prompt to create the passkey.
- The passkey is registered against your account.
Passkeys are managed by the operating system or browser, not the Console. If you lose the device, remove the passkey here and enrol a new one.
Removing a method
Click the Remove button next to the method. A confirmation modal warns you about losing access. If this is your only method and your organisation enforces MFA, the Console will block removal — add a replacement first.
Recovering if you lose access
If you cannot sign in because all of your MFA devices are lost:
- Contact your customer admin (for customer users) or an Exto operator (for internal users).
- They can reset your MFA setup from the user detail page. You will be prompted to enrol again on your next sign-in.
There is no self-service recovery — this is intentional. Account recovery requires a human in the loop.
MFA enforcement
Customer admins can configure whether MFA is required or optional for users in their organisation. Settings live in the Customer Portal under Settings → Security. If MFA is required and you have not enrolled yet, the Console will guide you through it on first sign-in.

