Two-Factor Authentication

Users can enable two-factor authentication for their accounts in the /account/2fa view. Once enabled, the user will be presented with a QR code that they can scan using their authenticator app of choice, such as Google Authenticator.

The user's secret (and QR code) is shared across all of their accounts, they don't need to scan a new code for each account they belong to or own. If 2FA is disabled and then re-enabled, they will need to scan the new QR code.

2FA works with all the Gravity login flows:

  • username and password

  • magic links

  • social sign-ons

Once a user has signed has completed the first-factor authentication using one of these methods, they will be prompted to enter OTP (verification code) from their authenticator app. This screen has a time-sensitive token (5 mins) created during the first step; this prevents a user from bypassing the first step in the auth flow without a token.

Setting Your App Name In The Authenticator Apps

To show your application name in the user's authenticator app, simply set the APP_NAME env var to the name of your application.

Last updated