Skip to content

Two-Factor Authentication

Two-factor authentication (2FA) adds a second verification step when you sign in. Even if someone gets hold of your password, they still need your authenticator app or a recovery code to access your account.

Doable uses TOTP (time-based one-time passwords), the same standard used by Google Authenticator, Authy, and 1Password. 2FA is optional for individual accounts; a platform admin can also reset 2FA for a locked-out user.

Enable two-factor auth

  1. Open Account → Security from your profile menu (top-right avatar).
  2. Click Enable 2FA.
  3. Scan the QR code with your authenticator app. If you can't scan, copy the secret key shown below the QR and enter it manually.
  4. Enter the 6-digit code your app shows, then click Verify.

Once verified, Doable immediately shows your recovery codes; see the next section.

Compatible apps: Google Authenticator, Authy, 1Password, Microsoft Authenticator, Bitwarden, or any TOTP-compatible app.

Save your recovery codes

Save these now: they will not be shown again

After enabling 2FA, Doable generates 10 recovery codes. Each code can be used once in place of your authenticator code. They are stored as one-way hashes; Doable cannot show them to you again.

  • Save them in a password manager (recommended).
  • Print them and keep them somewhere safe.
  • Do not store them in the same place as your password.

If you run low or want fresh codes, go to Account → Security → Regenerate recovery codes. You'll need your current password and a valid 2FA code. Regenerating invalidates all previous codes.

Sign in with 2FA

The sign-in flow is unchanged until you enter your email and password. After that:

  1. Enter your email and password as usual.
  2. Doable shows a second prompt: Enter your authenticator code.
  3. Open your authenticator app and enter the 6-digit code for Doable.

Using a recovery code instead: If your device is unavailable, type one of your saved recovery codes in the code field. The code is accepted in place of the TOTP code and is immediately marked used.

After sign-in with a recovery code, Doable shows how many unused codes remain. If you're running low, regenerate them from Account → Security.

Disable 2FA

  1. Go to Account → Security.
  2. Click Disable 2FA.
  3. Enter your current password and a valid authenticator code (or a recovery code).
  4. Confirm.

Disabling 2FA signs out all other active sessions so they must re-authenticate.

Lost your device

If you no longer have access to your authenticator app:

  1. On the sign-in screen, enter your email and password.
  2. When prompted for a code, enter one of your recovery codes.
  3. Sign in, then go to Account → Security to disable 2FA and re-enable it with your new device.

If you have also lost all recovery codes, contact a platform admin; see below.

For platform admins

Admin reset path

A platform admin can force-reset 2FA for any user from the admin dashboard under Admin → Users → (select user) → Reset MFA. This clears all factors and recovery codes for that user and signs out their existing sessions. The action is recorded in the audit log. The user must re-enroll 2FA on their next sign-in.

Use this only when a user has lost both their device and all recovery codes and cannot recover access on their own.

For other admin tasks, see the Security Model.