Skip to content
Docs/Security & account

Password and two-factor (MFA)

Turn on two-factor authentication, save your recovery codes, change your password, and sign in when you lose your phone.

Who: Anyone on the teamPlan: All plans

Two-factor authentication (MFA) adds a second step to sign-in: a 6-digit code from an authenticator app on your phone. This page covers turning it on, saving your recovery codes, changing your password, and getting back in if you lose your phone.

Turn on two-factor authentication

You'll need an authenticator app on your phone — Google Authenticator, 1Password, Authy, or any TOTP app.

  1. Go to Settings → Security.
  2. Click Enable two-factor authentication.
  3. A QR code appears. Open your authenticator app and scan it. (Can't scan? Click Can't scan? Enter manually and type the Secret shown into your app — the account name is AutoDealer.io.)
  4. Your app now shows a 6-digit code. Type it into the 6-digit code box.
  5. Click Verify and enable.

After this, every sign-in asks for a code from your authenticator app.

Add the account to a password-manager authenticator (1Password, etc.) so the code syncs across your devices. If you only have it on one phone and lose that phone, you'll need your recovery codes (next section).

Save your recovery codes

Right after you enable MFA, the app shows 10 recovery codes under Save your recovery codes. These let you sign in if you ever lose your phone. This is the only time they're shown — they can't be displayed again.

  1. Click Copy to clipboard or Download .txt. Store them in your password manager, or print them.
  2. Tick the box: I've saved these codes somewhere safe (password manager, printed, downloaded). I understand they won't be shown again.
  3. Click Done.

Each recovery code works exactly once. If you click Done without saving them, they're gone for good — your only options then are to regenerate a new batch (you need your password) or, if you're also locked out, ask a platform admin to reset your MFA.

Use a recovery code to sign in

If you don't have your authenticator app handy:

  1. On the sign-in screen, enter your email and password as usual.
  2. When the Authenticator code box appears, type one of your recovery codes instead of the 6-digit app code.
  3. Click Verify and sign in.

Recovery codes look like XXXX-XXXX-XXXX (three groups of four characters). You can type them with or without the dashes, and case doesn't matter. The code you use is consumed and won't work again.

The same Authenticator code box accepts either kind of code — the 6-digit one from your app, or a recovery code. You don't pick a mode; just type whichever you have and the field figures out which one it is.

Check or regenerate your recovery codes

On Settings → Security (while MFA is on), the Recovery codes card shows how many you have left, e.g. "7 of 10 codes remaining." When you get down to 2 or fewer, it warns you to generate new ones.

To get a fresh batch of 10:

  1. On the Recovery codes card, click Regenerate.
  2. Confirm your password.
  3. Click Regenerate codes.
  4. Save the new codes (copy or download), tick the box, and click Done.

Regenerating invalidates every unused code from your old batch. Always save the new ones before you leave the screen.

Turn off two-factor authentication

  1. On Settings → Security, click Disable on the "Two-factor authentication is on" card.
  2. Confirm your password.
  3. Click Disable MFA.

After this, sign-in only needs your email and password. Your recovery codes are deleted. Re-enabling MFA later generates a brand-new batch.

Change your password

Your password lives on a different page — your Profile, not Security.

  1. Go to Settings → Profile and find the Password card.
  2. Enter your Current password.
  3. Enter a New password — at least 12 characters.
  4. Re-type it in Confirm new password.
  5. Click Update password.

Changing your password signs you out of every device, including this one. That's on purpose — a stolen session can't outlive the old password. You'll be taken to the login page to sign in again with the new password.

If you're logged out and forgot your password, use Forgot your password? on the sign-in screen instead — it emails you a reset link that expires in 30 minutes and signs out all your other sessions when you use it.

FAQ

I lost my phone and didn't save my recovery codes. How do I get in?

You can't recover them yourself — they're never stored in readable form. Contact your platform administrator and ask them to reset your MFA. After the reset you can sign in with just your password, then re-enroll MFA and save a fresh set of codes.

Who can reset MFA for a locked-out user?

Only a platform (super) admin. The reset requires the admin to record a reason and is logged in the audit trail. It clears the user's authenticator secret and all recovery codes so the user can sign in with their password alone. It does not change or reveal the user's password.

Do I have to use a specific authenticator app?

No. Any standard TOTP authenticator works — Google Authenticator, 1Password, Authy, Microsoft Authenticator, and others. Pick whichever you already use.

My 6-digit code keeps getting rejected.

The most common cause is a clock that's out of sync. The codes are time-based, so make sure your phone's clock is set to update automatically. A small amount of skew is tolerated, but a wrong clock will make every code fail. Double-check you're reading the current code (they change every 30 seconds).

Can I see my recovery codes again later?

No. They're shown only once, at enrollment or right after a regenerate. If you didn't save them, click Regenerate on the Security page (you'll need your password) to get a new batch — this invalidates the old one.

Is MFA required?

It's strongly recommended for everyone and is called out for the dealership's qualified individual under the FTC Safeguards Rule. Even where it isn't mandatory, it protects your account if your password is ever leaked. The app doesn't force you to enable it.

Where do I sign out of all my other devices?

On Settings → Profile, under the Sessions card, use Sign out everywhere. This signs you out of every browser and device — useful if you lost a device or suspect someone else used your account. (Changing your password does this automatically.)