Skip to content
Torqueflow Help

Two-Factor Authentication (2FA)

Summary

Section titled “Summary”

Two-factor authentication (2FA) adds a second check at sign-in. After your password, you enter a six-digit code from an authenticator app on your phone. A leaked password is no longer enough to access your Torqueflow account. This article covers turning 2FA on for yourself, signing in once it’s enabled, saving recovery codes for the lost-phone case, choosing a trusted-device grace period, and (for Owners) requiring 2FA across staff roles.

Prerequisites

Section titled “Prerequisites”
  • A Torqueflow account (Owner, Manager, Service Advisor, or Technician).
  • An authenticator app on your phone. Any TOTP-compatible app works - Google Authenticator, Authy, 1Password, Microsoft Authenticator, Bitwarden, Apple Passwords.
  • A place to save your eight recovery codes (a password manager is ideal; printing or downloading the file works too).

Permissions

Section titled “Permissions”
  • Every user can enable or disable their own 2FA from Settings > Security.
  • Owners can set the organisation 2FA policy and reset another user’s 2FA. The relevant capability is organization.security.manage.
  • Owners of a sole-owner organisation who lose both their phone and recovery codes need to contact Torqueflow support. Support can reset 2FA after verifying identity out of band.

Steps

Section titled “Steps”

1. Turn on 2FA for your account

Section titled “1. Turn on 2FA for your account”

  1. Sign in and go to Settings > Security. You see a Two-Factor Authentication card showing Off. If you’re a Technician and don’t see a Settings menu, go straight to /settings/security in your browser address bar - the page itself is available to everyone with an account.

  2. Click Enable 2FA. The setup screen opens.

  3. On a phone, open your authenticator app and choose Add account or Scan QR code.

  4. Scan the QR code on the setup screen with the app. The app adds a new entry labelled with your email and your organisation name. If you cannot scan (you’re already on your phone), tap Open authenticator app to hand the code straight to your installed app, or copy the manual entry key into the app’s “enter key” option.

  5. The app starts showing a six-digit code that changes every 30 seconds. Type the current code into Verification code on the setup screen.

  6. Choose a trusted-device period. This controls how often you have to re-enter a 2FA code on devices you have already verified once:

    ChoiceEffect
    Every loginYou enter a code every time you sign in. Highest security.
    7 daysYou skip the code on this device for a week after verifying once.
    14 days (recommended)Default - balances security and friction.
    28 daysLongest grace period. Best for a personal device only you use.

    Pick “Every login” if you sign in on shared or public computers.

  7. Click Verify and Enable.

2. Save your recovery codes

Section titled “2. Save your recovery codes”

After enabling, the next screen shows eight recovery codes, each in the format xxxx-xxxx. Save these now - they will not be shown again.

  1. Click Download as .txt to save a file, Copy all to put them on your clipboard, or Print to keep a paper copy.

  2. Each code is single-use. If you sign in with a recovery code, that code is consumed and the remaining seven are still valid.

  3. Tick I’ve saved these codes securely, then click Continue to dashboard. A confirmation dialog asks you to double-check - if you haven’t saved them, click Show me the codes again to go back.

  4. Treat the codes like a spare key. A password manager entry is best; a printed copy in a safe or locked drawer is fine; a screenshot on the same phone as the authenticator app is not safe (lose the phone, lose both).

3. Sign in with 2FA enabled

Section titled “3. Sign in with 2FA enabled”

  1. Sign in with your email and password as normal.

  2. You are redirected to Verify 2FA. Open your authenticator app, find your Torqueflow entry, and type the current six-digit code.

  3. If you set a trusted-device period above zero, the next time you sign in from the same browser within that window you skip this step. After the window expires, you are prompted again.

  4. Lost your phone? Click Use recovery code instead, enter one of your eight xxxx-xxxx codes (case and hyphen don’t matter), and you’re signed in. That code is now used up.

  5. Need to sign in as someone else from the verify screen? Click Use a different account beneath the form. It signs you out cleanly and returns you to the sign-in page.

  6. Five wrong codes in a row? A support contact link appears beneath the form. If you’ve genuinely lost access, follow that link rather than continuing to guess.

4. Manage your own 2FA (Settings > Security)

Section titled “4. Manage your own 2FA (Settings > Security)”

The Security card shows your enrolment status and lets you:

  • Regenerate recovery codes - issues a fresh set of eight and invalidates the old ones. Use this after a code has been used or if you suspect a list has been seen.
  • Change trusted-device period - pick a new grace window. Takes effect on your next sign-in.
  • View trusted devices - shows every browser that has skipped 2FA in the grace window, with first-seen date and last-used date. Revoke any device you don’t recognise - the next sign-in from that browser will demand a code.
  • Disable 2FA - removes 2FA from your account. Not available if your organisation policy requires 2FA for your role (see “Org-level policy” below). You’ll see an explanation in place of the button.

5. Multiple organisations

Section titled “5. Multiple organisations”

If you have accounts in more than one Torqueflow organisation (same email, different orgs), each organisation has its own 2FA setting. Set up 2FA per organisation; each gets a distinct entry in your authenticator app labelled with the organisation name so you can tell them apart. Recovery codes are also per organisation.

6. Org-level policy (Owners only)

Section titled “6. Org-level policy (Owners only)”

Owners can require 2FA for one or more staff roles from Settings > Organisation > Security.

  1. Open Settings > Organisation and scroll to the Security card.

  2. Tick the roles that should be required to use 2FA: Owner, Manager, Service Advisor, Technician. You can pick any combination.

  3. Choose a rollout mode:

    • Advisory - leave the deadline empty. Anyone in a required role who has not yet enrolled sees a recommendation banner at the top of the app. They can still use Torqueflow as normal. Use this to set the policy and give people time to enrol at their own pace.
    • Required by a deadline - pick a date. Before the date, anyone in a required role sees a countdown banner. From the date onward, they cannot reach any page other than Set up 2FA until they enrol. Pick a date at least a week away so people aren’t surprised.

  4. Click Save policy. The change is audit-logged.

7. Reset another user’s 2FA (Owners only)

Section titled “7. Reset another user’s 2FA (Owners only)”

If a staff member loses access to their authenticator app and their recovery codes, an Owner can reset their 2FA from the same page as the org policy:

  1. Open Settings > Organisation > Security.

  2. Below the policy form, find the Reset a team member’s 2FA section. Pick the user from the list.

  3. Click Reset 2FA, then confirm in the dialog. The user’s 2FA is removed, every trusted device on their account is revoked, and their recovery codes are wiped. A success toast confirms how many devices and codes were cleared.

  4. On the user’s next sign-in, they’re prompted to set up 2FA from scratch (or, if your policy is advisory, they can choose to stay unenrolled).

  5. The reset is recorded in the audit log against your account and theirs.

If the user is the only Owner and they have lost both phone and codes, the in-app reset cannot help - there is nobody to perform it. Contact Torqueflow support; staff can reset 2FA after verifying identity out of band.

Expected Outcome

Section titled “Expected Outcome”

Sign-in needs two things you control - your password plus a code from your phone. Recovery codes and trusted-device grace let you handle real-world phone loss or shared devices without locking yourself out. Owners can set a recommendation now and a hard deadline later, with the in-app banner doing the chasing for you.

Troubleshooting

Section titled “Troubleshooting”
ProblemCauseFix
The QR code won’t scanPhone camera angle, screen brightness, or scanning the QR before the page fully loadedTap Show manual entry key on the setup screen and type the key into your authenticator app instead. The key is case-insensitive and groups of four characters.
The six-digit code is rejectedThe code expires every 30 seconds - if you typed slowly, it may already be the next one. Time skew between your phone and the server can also reject codes by ±30 seconds.Wait for a fresh code to appear in the app, then enter it quickly. If it still fails, check your phone’s time is set to automatic.
You don’t see the Disable 2FA buttonYour organisation policy requires 2FA for your role. The button is replaced with an explanation.Ask the Owner to relax the policy (move the role out of “required”), or talk to them about why you need it disabled.
You used all eight recovery codesEach code is single-use. Once consumed, they cannot be reused.Sign in with your authenticator app code, then go to Settings > Security and click Regenerate recovery codes to get a fresh eight.
You lost your phone AND your recovery codesThe two recovery paths designed into 2FA are both unavailable.If you have a colleague with Owner role, ask them to Reset 2FA on your account. If you’re the only Owner, contact Torqueflow support - we reset after verifying your identity out of band.
The “trusted devices” list shows a browser you don’t recogniseEither you signed in from a device you’ve forgotten, or someone else used your account on that browser within the grace window.Click Revoke on the unknown device. Then change your password and regenerate your recovery codes immediately. Tell your Owner so they can check the audit log.
Sign-in keeps redirecting you to Set up 2FA even though you set it upYour organisation policy is hard-gated past its deadline, and your enrolment isn’t completing - usually a browser cookie was blocked.Make sure cookies are enabled for Torqueflow in your browser. Try a private/incognito window if the problem persists.
The countdown banner says “2FA required in N days” but you don’t see the Set up 2FA buttonThe Owner has set a hard deadline but you have signed in from a verified device within the grace window for the first time.Open Settings > Security directly - the Enable 2FA button is always there, regardless of the banner.

Notes

Section titled “Notes”
  • Torqueflow’s 2FA uses time-based one-time passwords (TOTP, RFC 6238) - the same standard used by online banking, GitHub, Microsoft, Google, and most major SaaS apps. Any TOTP-compatible authenticator app works.
  • Your authenticator app secret is encrypted on our servers. It is never logged, never returned to your browser after enrolment, and never visible to Torqueflow staff.
  • Codes from your authenticator app are valid for 30 seconds. The current and previous code both work, so a slow type at the boundary is tolerated.
  • Recovery codes are stored as one-way hashes. Even Torqueflow staff cannot show them to you again after the setup screen - this is why saving them at enrol time matters.
  • The trusted-device cookie is tied to your account and your browser. It does not transfer if you switch laptops, change browsers, or use private/incognito mode.
  • A shared browser only holds one active trusted-device slot at a time. If two people on the same laptop both tick “trust this device” on their own accounts, only the most recent one is remembered - the earlier user will be prompted for a code again next time. On shared kiosks and reception PCs, don’t tick “trust this device”.
  • All 2FA-related events (enrol, disable, verify, recovery-code use, admin reset, policy change) appear in the audit log.
  • If your phone is broken but your old phone has the authenticator app installed, copy your accounts across using your authenticator app’s backup or export feature before regenerating recovery codes.
  • Future versions will allow Owners to require 2FA for specific capabilities (e.g. anyone allowed to export customer data) rather than only for whole roles. Until then, role-level enforcement is the way to require it.
torqueflow.app