This article provides an overview of 2-factor authentication, how to configure it within your GoCardless account, the recovery process, as well as answers to some of the commonly asked questions.
What is 2-factor authentication?
Why should you use 2-factor authentication?
How to enable 2-factor authentication on your GoCardless account
How to disable 2-factor authentication on your GoCardless account
What is 2-factor authentication?
2-factor authentication, also known as Multi-Factor Authentication (MFA) or two step verification, enables GoCardless to identify who the user is by using something you know (your password) and something that you have (either a code from an authenticator app or SMS code we send to your phone).
This enables us to verify it is you who is logging in to your user account and access GoCardless. It is really important that you do not share your account login credentials with anyone and we recommend you take a look at keeping your account secure.
Why should you use 2-factor authentication?
Passwords are a layer of security, but they are the bare minimum. They can be guessed or stolen if you’re a victim of a cyber attack, so 2-factor authentication offers an additional layer of security to make sure your account is still protected.
What options do you have?
You can choose two methods:
- Use your mobile phone to receive an SMS.
- Use an authenticator app to generate a unique time-based code.
You will need one of these two methods when you set it up for the first time and every time that you need to verify your identity. We recommend using an authenticator app, they are considered safer because the codes generated by them expire very quickly and it’s something you already have on your phone rather than something you’re sent like an SMS, which could be intercepted by a cyber attacker.
What is an authenticator app?
An authenticator app is an app that you can download on your mobile phone that generates a unique, time-based code that you can use to verify your identity when you log in to a website or application. An example of an authenticator app we recommend is Google Authenticator. Another option is using a password manager like 1Password, which also offers this functionality.
How to enable 2-factor authentication on your GoCardless account
You can enable Two step sign in by logging into your account and accessing your settings page. GoCardless offers either an authenticator app or SMS option for your 2-factor authentication method.
Enabling an authenticator app
- Scroll to the 2-factor authentication section and click on the button that reads Set up with an authenticator app.
- Open the authenticator app that you would like to use, this could be on your phone or on your laptop.
- Follow the instructions given by your chosen app to scan the QR code or enter the secret key. The app should give you a six digit code which you need to enter into the provided field, then click Submit.
- Once 2-factor authentication is set up, a recovery code will be generated. Keep the code safe, as if you ever have problems using your phone or authenticator app, it will allow you to sign in to your account.
Enabling the SMS method
- Scroll to the 2-factor authentication section and click on the button that reads Set up with my phone.
- Enter your mobile phone number in the dialog window and click Submit.
This will send an SMS (text message) to your phone with a code.
- Enter the code you received and click Submit.
4. Once 2-factor authentication is set up, a recovery code will be generated. Keep the code safe, as if you ever have problems using your phone or authenticator app, it will allow you to sign in to your account.
Done! You have 2-factor authentication enabled for your account.
How to disable 2-factor authentication on your GoCardless account
You can disable 2-factor authentication by logging into your account and accessing your settings page.
- Scroll to the 2-factor authentication section and click on Disable.
- You will be prompted for password confirmation and a 6 digit code that will be either generated on your authenticator app or sent to your phone via SMS, depending on which method you initially set up.
Enter the password for your account user and the code and click Submit.
Done! You have disabled 2-factor authentication for your account. Your settings should now look like this:
How to recover your account
Using recovery codes
Once 2-factor authentication is set up, you’ll be asked to enter a six-digit code that you’ll either receive on your phone or will be generated by your authenticator app, depending on the method you have set up. If you can’t access that 6-digit code, you’ll be able to bypass and disable 2-factor authentication by entering the recovery code that was generated when you first set-up 2-factor authentication.
If you have lost your recovery code
If you can no longer access your GoCardless account at all, please see this guide on initiating recovery.
Frequently asked questions
How often will I need to complete the 2-factor authentication process to access my account?
The 2-factor authentication process will reset every 14 calendar days if you select the "Remember me for 14 days" option when entering the verification code. However, if at any point you select the sign out option from the settings menu, you will be required to go through 2-factor authentication when you next login to GoCardless.
Am I required to enable 2-factor authentication on my account?
We strongly recommend that you enable 2-factor authentication so that you have greater account protections.
Do all users on my account have their own 2-factor authentication?
Yes. If enabled, all users use their own device to complete the secondary authentication step when signing in.
As an administrator of my account, can I ensure that all users have 2-factor authentication enabled?
At present, you would need to oversee that this measure is implemented with all users of your organisation as required. In the future, as an organisation administrator, you will be able to enforce that all users within your organisation have 2-factor authentication enabled.
What happens if I lose my phone?
You will need to follow the recovery process outlined in How to disable 2-factor authentication on your GoCardless account section above.
We recommend that you use the authenticator app as your primary method for two step sign in / Multi Factor Authentication (MFA).
If you can no longer access your GoCardless account at all, please see this guide on initiating recovery.