Two-Factor Authentication

Overview

What is 2FA?

Two-Factor Authentication (2FA) adds an extra layer of security to your account. After entering your password, you must provide a second verification—such as a code from an authenticator app—before you can sign in. This helps protect your account even if your password is compromised.

Why it is recommended

Enabling 2FA is strongly recommended because it:

Reduces the risk of unauthorized access if your password is leaked or guessed
Helps protect sensitive workspace data and API keys
Is required to create and view API keys (see API Keys & Security Requirements below)

Supported method: Authenticator App (TOTP)

Synthflow supports Time-based One-Time Password (TOTP) via an authenticator app. You can use any compatible app, such as:

Google Authenticator
Authy
Microsoft Authenticator
Other TOTP-compatible apps

Enabling 2FA (Email/Password Users)

If you sign in with email and password, you can enable 2FA from your workspace security settings. Follow these steps:

Go to Workspace → Settings → Security.

In the Two-factor authentication section, click Activate 2FA.

Enter the password you use to sign in to the platform when prompted.

Scan the QR code with your authenticator app, or enter the setup key manually if your app supports it.

Enter the 6-digit verification code shown in your authenticator app.

After the code is accepted, you will see a confirmation that 2FA is enabled. You will also receive recovery codes—store these securely (see Backup / Recovery Codes below).

Backup / Recovery Codes

When recovery codes are generated

Recovery codes are generated once during 2FA setup. They allow you to sign in when you do not have access to your authenticator app (e.g., lost phone or new device).

Storing recovery codes securely

Save your recovery codes in a secure place (e.g., password manager or secure note).
Do not share them or store them in plain text in email or cloud storage.
You may not be able to view them again after the initial setup, so store them at setup time.

One-time use

Each recovery code can only be used once. After you use a code to sign in, that code is invalid. Use another code or your authenticator app for future sign-ins.

When prompted for your 2FA code at sign-in:

Choose the option to use a recovery code (or “Use a backup code”).
Enter one of your recovery codes exactly as shown.
Complete sign-in. Remember that this code cannot be used again.

If you sign in via Google (SSO), your authentication is handled by Google. The following applies:

You do not configure app-level 2FA in Synthflow for this account. Authentication security is managed by Google (e.g., Google’s 2FA or security checks).
In Synthflow, the Security page will show “Authentication managed by Google Sign-In”.
Local enable/disable 2FA options are not available for Google Sign-In users, because sign-in and security are controlled by your Google account.

To strengthen security when using Google, enable two-step verification or other security features in your Google Account settings.

Subaccount Users

Subaccount users can enable and use 2FA in the same way as primary (main account) users:

The flow is identical: go to Workspace → Settings → Security and follow the same steps to enable 2FA and manage recovery codes.
Each user (including subaccount users) manages their own 2FA and recovery codes for their login.

API Keys & Security Requirements

To protect API keys, the following rules apply:

Creating API keys: You cannot create new API keys unless 2FA is enabled on your account. Enable 2FA first in Settings → Security, then create API keys.
Viewing API keys: You cannot view existing API keys (including previously created keys) unless 2FA is enabled. If 2FA is not enabled, you will be prompted to enable it before you can see any API key values.

These requirements help ensure that only users with 2FA can create or access API keys, reducing the risk of key theft or misuse.