Two-factor authentication adds a second, time-based code on top of your password. Even if a password leaks, the account stays out of reach unless the attacker also has the authenticator app. Octelligence supports 2FA for every user on every plan, and Owners on Scale and Portfolio Licensing can require it across an entire corporation.
How it works
Octelligence uses TOTP (Time-based One-Time Password) — the open standard used by Google Authenticator, Authy, 1Password, Bitwarden, and most password managers. When you enable 2FA, Octelligence generates a secret, the authenticator app stores it, and the app rotates a six-digit code every 30 seconds. At login, you enter the current code along with your password.
On first setup, Octelligence also generates ten one-time recovery codes. Each code works once. Use them if you lose access to your authenticator (phone lost, device wiped). Store them somewhere safe — a password manager or a printed copy in a sealed envelope.
No hardware keys or SMS. Octelligence currently supports TOTP only. Hardware security keys (FIDO2 / WebAuthn) and SMS codes are not implemented. TOTP via a phone-resident authenticator app is the supported second factor.
Step-by-step: enable 2FA on your account
Open Account › Password & security
From the top navigation, open Account and select Password & security. Scroll to the two-factor authentication section.
Start setup
Click Enable 2FA. Octelligence generates a secret and shows you a QR code plus the text version of the secret in case your authenticator app prefers manual entry.
Scan with your authenticator app
Open your authenticator app and add a new account by scanning the QR code. Most apps prompt for a name; "Octelligence" is the default. The app starts generating six-digit codes that rotate every 30 seconds.
Confirm with a code
Back in Octelligence, enter the current code from your authenticator and click Confirm. The confirmation step verifies that the secret was stored correctly. Without it, 2FA isn't actually active — the secret exists but isn't required at login.
Save your recovery codes
Octelligence displays ten recovery codes after confirmation. Each is a one-time code that bypasses the authenticator if you ever lose access. Save them in your password manager or print and store in a safe.
You can regenerate the codes later from the same page — regeneration requires your current password and invalidates the previous set.
Step-by-step: log in with 2FA
Enter password
Log in normally with your email and password.
Enter the current six-digit code
Open your authenticator app, find the Octelligence entry, and enter the six-digit code shown. Codes are valid for 30 seconds; if the code is close to expiring, wait for the next one to be safe.
If you've lost your authenticator, use a recovery code
On the 2FA challenge page, click Use a recovery code and enter one of the ten codes you saved. Each works once and is consumed when used. After signing in, regenerate the recovery codes and re-enroll your authenticator on a new device.
Corporation-level enforcement (Scale and Portfolio Licensing)
Per-user 2FA is opt-in. For corporations that want to require 2FA across every team member, the Owner can turn on corporation-level enforcement. When enforcement is on, every shared user on the corporation is required to enable 2FA before they can continue past the security setup pages on next login.
Open enforcement settings
From Account › Password & security, scroll to the Corporation-level 2FA enforcement section. This section is visible only on Scale, Portfolio Licensing, and Portfolio Foundation and above.
Enable enforcement
Toggle enforcement on. Octelligence records the timestamp. From that moment, every shared user is prompted on next login to enable 2FA if they haven't already; users with 2FA already on are unaffected.
The Owner is also bound by enforcement. Once on, no one — including the Owner — can disable their own 2FA without first turning enforcement off.
Turn enforcement off when needed
Enforcement can be turned off from the same page. Users keep their 2FA configured but the requirement at login is lifted. Toggle it back on whenever you need to re-enforce.
Recovering a lost authenticator
If you lose your authenticator and didn't save recovery codes, you're locked out of your account. There is no support backdoor — the security model of TOTP doesn't allow one. To get back in:
- Use one of your recovery codes if you saved them
- If you didn't save them, contact support@octelligence.com. Support can verify ownership through alternative channels (account email, billing details, original incorporation documents) and disable 2FA on the account so you can re-enroll. This is a manual process and takes time; recovery codes are the fast path
The lesson is to save the recovery codes at setup time. A password manager is the easiest place; a printed copy in a safe is more durable.
Common gotchas
Not saving recovery codes. Most account-lockout situations come from a lost or wiped phone with no recovery codes available. Save the codes at setup. The five seconds it takes is worth the days of friction it prevents.
Using the same authenticator entry on multiple devices without exporting the secret. Authy and most password managers can sync; Google Authenticator does not by default. If you switch phones, transfer the secret first or you'll need to re-enroll using a recovery code.
Turning on enforcement without warning the team. When enforcement turns on, every team member on next login is forced into 2FA setup before they can continue. If the team isn't expecting it, a busy Tuesday morning becomes a wave of support requests. Notify the team first and pick a quiet day.
Sharing a TOTP secret. Don't. The secret is meant to live on one device per user. If two people need access to a corporation, invite both — see Invite team members.