Two-Factor Authentication (2FA) is a security feature that provides an additional layer of protection for your Countly account.
With standard authentication, access is granted using only a password. When 2FA is enabled, users are required to complete a second verification step during login by entering a time-based, six-digit security code generated on their smartphone using an authenticator application.
This ensures that even if an account password is compromised, unauthorized access is prevented unless the second authentication factor, the temporary code, is also provided.
By combining something you know (your password) with something you have (your mobile device), 2FA significantly strengthens the overall security of your Countly account and helps safeguard sensitive data.
Managing 2FA
Two-Factor Authentication (2FA) is available in Countly as part of the Feature Management system. This allows administrators to enable or disable it just like any other plugin on the server.
Enabling the 2FA feature makes it available on your Countly server. However, to enforce 2FA for all users, an additional setting must be activated in the Settings section.
Once this enforcement option is enabled, every user will be required to set up their individual 2FA configuration at their next login. This ensures that all accounts on the server are protected with the additional authentication layer moving forward.
The above process should be performed by a user with Global Admin privileges. The next step involves configuring 2FA at the individual user level, which is explained in detail below.
Setting Up 2FA
Click My Profile in the bottom-left corner of the screen and select My Account.
In the Account Settings section, enable the Two-Factor Authentication toggle and apply.
Note: If global enforcement is already enabled by the administrator, this step will be applied automatically. Otherwise, you'll need to enable it manually here to activate 2FA for your account.You will see the below instructions to set up your 2FA.
To set up and use Two-Factor Authentication, you will need an authenticator application installed on your smartphone (such as Google Authenticator, Authy, or a similar app).
After you install the app, please scan the QR code provided on your server using the authenticator. This securely stores your unique secret key on your device, allowing the app to start generating time-based authentication codes. Once the authenticator is generating codes, enter the current six-digit code displayed in the app into the input field before it expires, then click Confirm. Upon successful verification, you will receive a notification confirming that Two-Factor Authentication has been successfully enabled for your account.
2FA Recovery Process for Lost Devices
If a user loses access to their smartphone or authenticator app, a Global Admin can disable the existing Two-Factor Authentication configuration for that user, allowing them to set it up again.
This option can be found by navigating to:
Management -> User Management -> search for the user -> click the three-dot menu next to the user’s profile -> select Disable 2FA.
Once 2FA is disabled, the affected user will be prompted to reconfigure Two-Factor Authentication at their next login.
Note: If Two-Factor Authentication appears to be configured correctly but the server continues to reject valid authentication codes without displaying any error messages, it is recommended to verify the system time on the server. While time zone settings do not affect 2FA, even a slight difference, just a few seconds ahead of or behind UTC, can cause authentication code validation to fail. Ensuring that the server time is synchronized correctly will usually resolve this issue.