In this article:
We strongly recommend using two-factor authentication to secure your SecurityScorecard account. A two-step verification process can protect you from hackers gaining access to company information by adding an extra layer of security. Even if someone knows your password, it won’t be enough to sign in to SecurityScorecard.
If you’re an administrator we also recommend that you enforce 2FA for your entire organization.
Note: If you use SAML, you can achieve this by enforcing 2FA at your organization’s identity provider.
Configuring two-factor authentication using a time-based, one-time passwords (TOTP) app
All users can visit My Settings > 2FA to set up 2FA using any TOTP app. If you don’t use one already, here are some cloud-based TOPT apps you can choose from:
Enforcing 2FA for all users in my organization
As an administrator of your organization, you can also enforce 2FA for all users on the same page after setting up 2FA for yourself.
After you do, users that login with a password will have to set up 2FA before accessing any of the features in our platform.
Step by Step Guide
- Login to your SecurityScorecard account
- Navigate to My Settings
- Select 2FA
- Scan the QR code using your TOTP app (or you can enter the code manually if you don’t have this option)
- Enter the verification code obtained from the TOTP app
- Log in again (a verification code will be requested after entering your password) to confirm 2FA is properly configured
I lost access to my 2FA credentials, how do I recover access to my account?
Contact an administrator of your account. The administrator should then go to My Settings > Users section and open the user edit modal for the user who lost access. That displays a button to reset 2FA for the user. After this step is completed, the user should be able to log in and setup 2FA again.
If you’re the administrator, or you don’t have access to an administrator, contact SecurityScorecard support for help.
Can I use SMS as a second factor?
We don’t support SMS for 2FA.
Multiple sources discourage SMS in favor of TOPT apps. TOTP apps generate codes that are always changing and are not tied to your phone number, limiting the chance of attackers getting a valid code, and thus, access to your account.
Because we believe TOTP is much more secure, we have chosen to support this option first, however, we may add other forms of MFA in the future depending on the demand of our clients.
I already use SAML, how can I add 2FA to my account?
If your company has a SAML identity provider, you can set up 2FA at your identity provider.