Overview
Two-Factor Authentication (2FA / MFA) adds an extra layer of security to your account. When enabled, you'll need to enter a 6-digit code from your authenticator app in addition to your password when signing in.
MFA is a requirement for OSF compliance as an ATO Digital Service Provider.
Setting Up 2FA
- Go to Settings and click Manage next to Two-Factor Auth
- Click Set Up Two-Factor Authentication
- Scan the QR code with your authenticator app (Google Authenticator, Authy, 1Password, etc.)
- Enter the 6-digit code from your app to verify
- Save your backup codes — these are shown once and allow you to sign in if you lose your authenticator device
Supported Authenticator Apps
Any TOTP-compatible authenticator will work:
- Google Authenticator
- Authy
- 1Password
- Microsoft Authenticator
- Bitwarden
Signing In with 2FA
- Enter your email and password as usual
- You'll be redirected to the verification page
- Enter the 6-digit code from your authenticator app
- If you don't have your authenticator, use a backup code instead
Backup Codes
When you enable 2FA, you receive 10 backup codes. Each code can only be used once. Store them somewhere safe (password manager, printed copy, etc.).
If you run low on backup codes, you can regenerate a new set from the Two-Factor settings page. This will invalidate all previous backup codes.
Disabling 2FA
To disable two-factor authentication:
- Go to Settings > Manage Two-Factor Auth
- Click Disable Two-Factor Authentication
- Enter your password to confirm
Note: Disabling MFA may affect your OSF compliance status.
Important Notes
- Codes are time-based (TOTP) and change every 30 seconds
- There is a small tolerance window for clock drift (±30 seconds)
- After 5 failed verification attempts, you'll be locked out temporarily
- Backup codes are one-time use — once used, they cannot be reused
- Always keep your backup codes in a secure location