MainBranch

Two-Factor Authentication

TOTP-based 2FA and backup codes for MainBranch accounts.

MainBranch supports two-factor authentication using a TOTP authenticator app (Google Authenticator, Authy, 1Password, Microsoft Authenticator, etc.). Backup codes cover the case where you lose your phone.

How 2FA works in MainBranch

  1. You enable 2FA from your profile settings.
  2. You scan a QR code with an authenticator app, which generates a 6-digit code that rotates every 30 seconds.
  3. Each sign-in asks for your password and a current code.
  4. You're given a set of single-use backup codes for recovery.

For the step-by-step user flow, see Account → Two-Factor Authentication.

Enforcing 2FA across the workspace

Admins can require 2FA from Workspace → Authentication. Once enforced:

  • Members without 2FA are blocked from the workspace until they set it up.
  • The personal Disable 2FA button is greyed out with a note explaining the policy.
  • New members are prompted to set up 2FA during their first sign-in.

Compatible authenticator apps

Any app implementing TOTP (RFC 6238) works:

  • Google Authenticator
  • Microsoft Authenticator
  • Authy
  • 1Password
  • Bitwarden Authenticator
  • Duo Mobile (TOTP feature)
  • YubiKey Authenticator (with a YubiKey)

If you can't scan the QR code, use the manual setup key below it.

Backup codes

When you enable 2FA you get 10–12 single-use backup codes. Treat them like passwords:

  • Store them in a password manager.
  • Don't share them.
  • Each one only works once. After spending one, cross it off.

When you're running low, regenerate from the same tab. Regenerating invalidates the old codes.

Recovering access

If you lose your phone and your backup codes:

  • Try recovery on the device you used to set up 2FA (Authy and 1Password sync across devices, for example).
  • If that fails, contact your workspace admin. They can reset 2FA after verifying your identity through your organization's normal process.

What 2FA protects

  • Sign-in to MainBranch.
  • Certain sensitive operations may also re-prompt, depending on workspace policy.

It doesn't protect against compromise of the authenticator app itself — keep the authenticator device locked.

See also

SSO with Microsoft Entra ID

Configure single sign-on for your workspace using Microsoft Entra ID.

Permissions

Roles, sharing, and how access works across MainBranch.

On this page

How 2FA works in MainBranchEnforcing 2FA across the workspaceCompatible authenticator appsBackup codesRecovering accessWhat 2FA protectsSee also