Two-Factor Authentication
Enable 2FA, configure TOTP, manage backup codes, and enforce organization-wide 2FA
Two-Factor Authentication
Two-Factor Authentication (2FA) adds an extra layer of security to your MongoDash account by requiring both your password and a time-based code.
What is Two-Factor Authentication?
2FA protects your account even if your password is compromised. After entering your password, you'll need to provide a six-digit code from an authenticator app on your phone.
Benefits of 2FA
- Enhanced Security - Prevents unauthorized access even with a stolen password
- Compliance - Meets security requirements for SOC 2, ISO 27001, and other standards
- Account Protection - Protects sensitive MongoDB connection credentials
- Peace of Mind - Know your workspace is secured against common attacks
2FA is available on all MongoDash plans and strongly recommended for all users, especially those with Admin or Owner roles.
Enabling 2FA for Your Account
Open Account Security Settings Click your profile picture in the top right, then select Account Settings. Navigate to the Security tab.
Start 2FA Setup Click Enable Two-Factor Authentication to begin the setup process.
Install Authenticator App If you don't have one already, install an authenticator app on your phone:
- Google Authenticator (iOS/Android)
- Microsoft Authenticator (iOS/Android)
- Authy (iOS/Android/Desktop)
- 1Password (with TOTP support)
We recommend using an authenticator app instead of SMS-based 2FA for better security.
Scan QR Code Open your authenticator app and scan the QR code displayed in MongoDash.
Alternatively, you can manually enter the secret key if your authenticator app doesn't support QR codes.
Enter Verification Code Your authenticator app will generate a six-digit code. Enter this code in MongoDash to verify the setup.
Save Backup Codes MongoDash will display 10 backup codes. Save these in a secure location like a password manager.
Store backup codes securely. You'll need them to access your account if you lose your phone or authenticator app.
Confirm 2FA is Active You'll see a confirmation that 2FA is now enabled for your account. Your next login will require a code from your authenticator app.
Using 2FA to Sign In
Once 2FA is enabled, your login process changes:
- Enter your email and password as usual
- When prompted, open your authenticator app
- Enter the current six-digit code from your app
- Click Verify to complete sign-in
Check the "Trust this device for 30 days" box to skip 2FA codes on your primary work devices. Use this only on secure, personal devices.
Managing Backup Codes
Backup codes let you sign in when you can't access your authenticator app.
Viewing Backup Codes
Navigate to Security Settings Go to Account Settings and click the Security tab.
View Codes Click View Backup Codes in the Two-Factor Authentication section. You may need to verify your password.
Copy or Download Copy codes to your password manager or download them as a text file.
Regenerating Backup Codes
If you've used several backup codes or suspect they may be compromised:
- Navigate to Account Settings and Security tab
- Click Regenerate Backup Codes
- Confirm the action (this invalidates all previous codes)
- Save the new codes securely
Regenerating backup codes immediately invalidates all previous codes. Save the new codes before closing the dialog.
Using a Backup Code
If you lose access to your authenticator app:
- At the 2FA login prompt, click Use a backup code instead
- Enter one of your 10 backup codes
- Complete sign-in
- Immediately reconfigure your authenticator app or regenerate backup codes
Disabling 2FA
To disable 2FA for your account:
Navigate to Security Settings Go to Account Settings and Security tab.
Disable 2FA Click Disable Two-Factor Authentication. You'll need to verify your password and enter a current 2FA code.
Confirm Removal Confirm that you want to remove 2FA protection from your account.
If your workspace has enforced 2FA, you won't be able to disable it individually. Contact a workspace Owner.
Workspace 2FA Enforcement
TeamWorkspace Owners can require all members to enable 2FA.
Enabling 2FA Enforcement
Open Workspace Settings Click your workspace name and select Settings.
Navigate to Security Click Security in the left sidebar.
Enable Enforcement Toggle Require 2FA for all members to on.
Set Grace Period Choose a grace period (7, 14, or 30 days) for existing members to enable 2FA.
New members invited after enforcement is enabled must set up 2FA before accessing the workspace.
Save Settings Click Save to enforce 2FA workspace-wide. Members without 2FA will see a notice on their next login.
How Enforcement Works
When 2FA is enforced:
- Existing members receive an email notification and see a banner on login
- Grace period allows time to set up 2FA without losing access
- New invites require 2FA setup before first workspace access
- Non-compliant users cannot access the workspace after grace period expires
Monitoring 2FA Compliance
Workspace Owners and Admins can view 2FA status for all members:
- Navigate to Workspace Settings and Members
- View the 2FA Status column showing enabled/disabled for each user
- Filter to see only members without 2FA enabled
- Send reminder emails to non-compliant users
Troubleshooting 2FA
Lost Access to Authenticator App
If you lose your phone or authenticator app:
- Use a backup code to sign in
- Go to Account Settings and Security
- Disable 2FA (requires backup code or password verification)
- Re-enable 2FA with a new authenticator app
Codes Not Working
If your authenticator codes aren't accepted:
- Check time sync - Ensure your phone's clock is accurate
- Try next code - Wait for the next six-digit code to generate
- Verify app - Make sure you're looking at the correct account in your authenticator app
- Use backup code - Sign in with a backup code and reconfigure
TOTP codes are time-based. If your phone's clock is off by more than a minute, codes may not work.
Locked Out Completely
If you've lost both your authenticator app and backup codes:
- Contact MongoDash support at support@mongodash.app
- Provide account verification details
- Support will assist with account recovery
Account recovery without 2FA codes requires identity verification and may take 24-48 hours for security purposes.
Best Practices
Secure Your Backup Codes
- Store backup codes in a password manager
- Keep a physical copy in a secure location
- Never share backup codes with anyone
- Regenerate codes if you suspect compromise
Use a Trusted Authenticator
- Choose well-maintained authenticator apps
- Enable cloud backup features (like Authy) for disaster recovery
- Consider multiple authenticators for redundancy
Monitor Security Events
EnterpriseEnterprise plans can track 2FA events in audit logs:
- Failed 2FA attempts
- Backup code usage
- 2FA disable/re-enable events
- Enforcement policy changes
What's Next?
- Session Management - Control active sessions and timeouts
- API Keys - Generate secure API keys for automation
- Audit Logs - Review security events and access patterns