Two-factor authentication (2FA)

Two-factor authentication adds a code from your phone to your password. Even if your password leaks, an attacker can't sign in without your phone. We recommend it for everyone, and we strongly recommend it for organisation admins.

MindWeaveBoard uses TOTP — the standard "rolling 6-digit code" pattern that works with Google Authenticator, 1Password, Authy, Microsoft Authenticator, and any other compatible app.

Setting it up

Setup takes about 90 seconds.

1. Sign in to MindWeaveBoard.
2. Go to Settings → Security.
3. Click Set up two-factor authentication.
4. A QR code appears. Scan it with your authenticator app (Google Authenticator / 1Password / Authy / etc.).
   • If you can't scan, copy the manual entry key shown next to the QR code and paste it into your authenticator app.
5. Your authenticator app starts showing a 6-digit code that refreshes every 30 seconds.
6. Type the current code into the Verify field and click Confirm.

You'll then see eight recovery codes. Save them somewhere safe — a password manager is the best place. They're shown exactly once.

Why recovery codes matter

If you lose your phone, your authenticator app, or both, recovery codes are your backup way in. Each code works once. Using a recovery code does not disable 2FA — it just gets you signed in long enough to set up a new authenticator on a replacement device.

If you don't save your recovery codes and you lose your phone, the only path back to your account is a manual identity verification with our team. It's slow, and we can't guarantee a successful recovery for free-tier accounts.

Signing in with 2FA enabled

Once 2FA is on, the sign-in flow is:

1. Enter your email and password.
2. The page asks for your 6-digit authenticator code.
3. Type the current code from your authenticator app.

That's it. The code refreshes every 30 seconds; if you mistype the code, the form lets you try again.

If you don't have your phone, click Use recovery code on the verification screen. Paste a recovery code (5-character groups separated by a dash, like ABCDE-12345). It signs you in once and burns the code.

Confirming you saved the codes

After your first sign-in with 2FA, Settings → Security shows a small reminder until you check the I've saved my recovery codes somewhere safe box. The reminder is non-blocking — you can keep using the app — but please don't dismiss it without actually saving the codes. The point of the codes is that they exist before you need them.

Disabling 2FA

If you need to turn 2FA off (for example, you're setting up on a new device and want a clean state):

1. Go to Settings → Security.
2. Click Disable two-factor authentication.
3. Enter your password AND a current 6-digit code from your authenticator.
4. Click Confirm.

Disabling 2FA wipes the secret on our side and clears your remaining recovery codes. To turn it back on, run Setup again — you'll get a fresh QR and a new set of recovery codes.

What's stored where

• Your TOTP secret is encrypted at rest with AES-256-GCM. We need to read it to verify codes; nobody else does.
• Recovery codes are bcrypt-hashed. We can't read them ourselves; we can only verify a code you provide. (This is why we can't recover them for you if you lose them.)
• We never log codes or recovery codes. Audit-log entries record only success/failure and which method was used (password, 2fa, or recovery).

Related

• Creating your account — sign-up flow.
• Enterprise security — SSO, SCIM, audit log retention.