SecPortalSecPortal/Docs
Dashboard

Security & MFA

Enforce two-factor authentication across your workspace to protect access to your security data.

Overview

SecPortal supports TOTP-based two-factor authentication (MFA) that workspace owners can enforce for all users. When enabled, every user in the workspace must set up an authenticator app before accessing the dashboard or client portal.

Pro & Team only:MFA enforcement is available on Pro and Team plans. Starter plan users will see the toggle greyed out in Settings.

How to Enable MFA

  1. Go to Settings in your dashboard
  2. Find the Two-Factor Authentication (MFA) card
  3. Toggle the switch to Enabled
  4. All users in the workspace will now be required to set up MFA on their next login

Only the workspace owner can enable or disable MFA enforcement.

User Setup Flow

When MFA is enforced and a user signs in without a registered authenticator:

  1. After entering email and password, the user is redirected to the MFA Setup page
  2. A QR code is displayed:the user scans it with their authenticator app (Google Authenticator, Authy, 1Password, Microsoft Authenticator, etc.)
  3. A manual entry key is also available for apps that don't support QR scanning
  4. The user enters the 6-digit code from their authenticator app to verify setup
  5. Once verified, the user is signed in and redirected to the dashboard or portal

Returning User Flow

For users who have already set up MFA:

  1. After entering email and password, the user is redirected to the MFA Verify page
  2. They enter the current 6-digit code from their authenticator app
  3. On successful verification, they are signed in normally

MFA verification is required once per session. Users stay signed in until they sign out or their session expires.

Supported Authenticator Apps

Any TOTP-compatible authenticator app works with SecPortal:

  • Google Authenticator
  • Authy
  • 1Password
  • Microsoft Authenticator
  • Bitwarden
  • Any other app that supports TOTP (RFC 6238)

Where MFA is Enforced

When enabled, MFA is enforced on:

  • Dashboard:all consultant dashboard routes
  • Client Portal:all portal routes on your tenant subdomain

Auth pages (login, signup, password reset) and API routes are excluded to prevent redirect loops.

Disabling MFA

The workspace owner can disable MFA enforcement at any time by toggling the switch off in Settings. Existing users who have already enrolled will still have MFA on their accounts but will no longer be required to use it. New users will not be prompted to set up MFA.

Lost Access

If a user loses access to their authenticator app, they should contact support at support@secportal.io. An administrator can reset their MFA factor so they can re-enrol with a new device.