Two-Factor Authentication

Overview

What is 2FA?

Two-Factor Authentication (2FA) adds an extra layer of security to your account. After you complete the first step of sign-in, you must provide a second verification—such as a code from an authenticator app—before you can access your workspace. This helps protect your account even if your password or sign-in method is compromised.

Why it is recommended

Enabling 2FA is strongly recommended. It reduces the risk of unauthorized access if your password is leaked or guessed, and it helps protect sensitive workspace data and API keys. When your workspace requires 2FA, you must have it enabled to create and view API keys.

Supported method: Authenticator App (TOTP)

Synthflow supports Time-based One-Time Password (TOTP) via an authenticator app. You can use any compatible app, such as Google Authenticator, Authy, Microsoft Authenticator, or other TOTP-compatible apps.

How to activate 2FA

You can enable 2FA in Settings → Log in credentials. Follow these steps:

Go to Settings → Log in credentials.

In the Two-factor authentication section, start the 2FA setup (e.g. Activate 2FA).

If you sign in with email and password, enter your account password when prompted to authenticate. If you sign in with Google, you do not need to provide a password.

Scan the QR code with your authenticator app (or enter the setup key manually if your app supports it), then enter the 6-digit code from the app.

Save your backup codes in a secure place (see Backup Codes below).

After 2FA is enabled, you will be prompted for your 2FA code each time you sign in.

Backup Codes

When recovery codes are generated

Recovery codes are generated once during 2FA setup. They allow you to sign in when you do not have access to your authenticator app (e.g., lost phone or new device).

Storing recovery codes securely

Save your recovery codes in a secure place (e.g., password manager or secure note). Do not share them or store them in plain text in email or cloud storage. You may not be able to view them again after the initial setup, so store them at setup time.

One-time use

Each recovery code can only be used once. After you use a code to sign in, that code is invalid. Use another code or your authenticator app for future sign-ins.

When prompted for your 2FA code at sign-in, choose the option to use a recovery code (or “Use a backup code”), enter one of your recovery codes exactly as shown, then complete sign-in. Remember that this code cannot be used again.

Enforcing 2FA for your team

In Settings → Security, workspace admins can make 2FA mandatory for their team. If 2FA is required for the workspace, the next time a user logs in they will be required to enable 2FA before they can continue.