Account security and two-factor authentication

Hopscotch supports two-factor authentication (2FA) to add another layer of protection to your account and your team's workspace.

What two-factor authentication does

When 2FA is enabled, you sign in with your password and then enter a 6-digit code from an authenticator app. Hopscotch works with common authenticator apps such as Google Authenticator, Authy, and 1Password.

You will also receive backup codes during setup. Backup codes let you sign in if you lose access to your authenticator app.

Enable two-factor authentication for your account

1. Sign in to Hopscotch.
2. Go to Security settings.
3. In the Two-Factor Authentication section, click Enable.
4. Scan the QR code with your authenticator app. If you cannot scan the QR code, copy the manual setup code into your app.
5. Enter the 6-digit verification code from your authenticator app.
6. Save or download your backup codes before closing the setup screen.

After setup, the Security settings page shows when 2FA was enabled and how many backup codes remain.

Sign in with two-factor authentication

After entering your email and password, Hopscotch will ask for your second factor. Enter the current 6-digit code from your authenticator app.

If you do not have access to your authenticator app, choose the backup-code option and enter one of your saved backup codes. Backup codes are formatted like ABCD-1234-EFGH; each code stops working after it is used.

If a verification challenge expires, sign in again with your email and password to start a new challenge.

Regenerate backup codes

Regenerate backup codes if you are running low, if you used a code, or if you think your saved codes may have been exposed.

1. Go to Security settings.
2. In the Backup Codes row, click Regenerate.
3. Enter your password and a current authenticator-app code.
4. Save the new backup codes.

Disable two-factor authentication

You can disable 2FA from Security settings. Hopscotch will ask for your password and either a current authenticator-app code or a valid backup code before disabling 2FA.

If your organization requires 2FA, you may be prompted to set it up again before you can continue using the workspace.

Require two-factor authentication for your organization

Owners and admins can require every member of the current organization to use 2FA.

1. First, enable 2FA on your own account.
2. Go to Security settings.
3. In Organization MFA Policy, enable Require MFA for all members.

Once enabled, members who have not set up 2FA will be prompted to complete setup the next time they sign in or access the workspace. New invited members will also be told that the team requires 2FA before they join.

The policy section shows team compliance, including how many members have 2FA enabled and which members still need to set it up.

Check member MFA status

Owners and admins can review MFA status from Team settings. The team list shows whether each active member has MFA enabled.

Pending invitations do not have an MFA status until the invited user accepts the invite and creates or connects an account.

Reset MFA for a team member

Owners and admins can reset MFA for another member when that person loses access to their authenticator app and backup codes.

1. Go to Team settings.
2. Find the member whose MFA should be reset.
3. Click Reset MFA and confirm the action.

After MFA is reset, the member's authenticator secret and backup codes are cleared. If your organization requires MFA, the member will need to set up 2FA again before continuing in the workspace.

Admins can reset MFA for non-owner members. Only owners can reset MFA for another owner. You cannot reset your own MFA from the team page; use the disable option in Security settings instead.

If you lose access to your second factor

Try these options in order:

1. Use a saved backup code on the 2FA verification screen.
2. Ask an owner or admin in your organization to reset your MFA from Team settings.
3. If you are the only owner or cannot reach an admin, contact Hopscotch support for help recovering access.