Documentation

Two-Factor Authentication (2FA): Setup and Management

Learn how to enhance your app's security with two-factor authentication, protecting sensitive data and building user trust.

What you'll learn:

  • How to enable and configure 2FA for your application
  • Managing 2FA settings for individual users
  • Understanding the end-user experience and troubleshooting common issues

What is Two-Factor Authentication (2FA)?

Two-Factor Authentication (2FA) adds an essential security layer to your Knack application by requiring users to verify their identity through two different methods:

  1. Something they know (their password)
  2. Something they have (a mobile device with an authenticator app)

When 2FA is enabled, users must enter a time-sensitive verification code from their authenticator app after successfully entering their username and password.

Note: 2FA works with standard authenticator apps including Google Authenticator, Microsoft Authenticator, Authy, and other TOTP (Time-based One-Time Password) compatible applications.


Enabling 2FA for Your Application

Initial Setup & App-Wide Configuration

Follow these steps to enable 2FA for your entire application:

  1. Navigate to App Settings in your Knack Builder
  2. Select the User Logins tab
  3. Find the Two-Factor Authentication tab
  4. Select the checkbox to Enable
  5. Click Save Changes

📘

By default when 2FA is enabled for your app, ALL users (existing and new) will be required to use 2FA. To disable 2FA for specific users, see below.


User-Specific Configuration

You can also disable 2FA for specific users after 2FA is enabled:

  1. Ensure that Two-Factor Authentication has been enabled for your app, as outlined above
  2. Then Navigate to All Users in your Knack Builder
  3. Select the individual record you want to modify
  4. Click the ellipses (...) to bring up record options
  5. Select the Disable Two-Factor Authentication option
  6. Click Save Changes after reviewing the information

Managing the 2FA User Experience

User Setup Process

When a user is required to set up 2FA, they will follow this guided process:

  1. After logging in with their username and password, they'll see a 2FA setup screen
  2. Instructions will guide them to download an authenticator app if they don't have one
  3. A QR code will display for easy configuration
  4. The user scans the QR code with their authenticator app
  5. The user enters the verification code shown in their app
  6. Upon successful verification, 2FA setup is complete

Tip: Consider creating a support article or in-app instructions to help users through the 2FA setup process.

Login Flow With 2FA Enabled

Once 2FA is set up, the login process will include these steps:

  1. User enters their username and password
  2. If credentials are correct, they're prompted for their 2FA verification code
  3. User opens their authenticator app and enters the current code
  4. Upon successful verification, the user gains access to the application

Troubleshooting and Recovery Options

Helping Users Who Lose Access

As an app builder, you may need to help users who lose access to their authenticator device. By simply disabling 2FA for that user, saving that change, then re-enabling 2FA for that user, the user be asked to re-configure their 2FA, like they did the first time they set it up.

  1. Navigate to All Users in your Knack Builder
  2. Select the individual record you want to modify
  3. Click the ellipses to bring up record options
  4. Select the Disable Two-Factor Authentication option
  5. Click Save Changes after reviewing the information
  6. Then, click the ellipses to bring up record options again
  7. Select the Edit User option
  8. Toggle the option to enable 2FA for the user
  9. Save

This will allow the user to re-configure 2FA the next time they log into a protected page.


Common Issues and Solutions

IssueSolution
User lost access to their authentication deviceReset 2FA for the user as explained above
API or automated access failingConsider disabling 2FA for specific service accounts

2FA with Other Authentication Methods

Single Sign-On Integration

If you use Single Sign-On (SSO) in your application:

  • Users authenticated via SSO will bypass 2FA requirements
  • SSO is considered a secure authentication method with its own protections
  • No additional configuration is needed for SSO users

API Access Considerations

For systems accessing your app via API:

  • Consider disabling the 2FA option for service accounts
  • For human users accessing via API, an additional parameter for 2FA verification is required when 2FA is enabled
  • Consider disabling 2FA for automated processes
  • If 2FA is enabled for a service account, and the correct authorization token is not included, there will be a 401 response

Frequently Asked Questions (FAQs)

  • Q) What happens when I copy/duplicate an app that had 2FA enabled?
    • A) 2FA credentials will not transfer to copied apps. If a user logs in with the same username/password in the copied app, they will be prompted with a QR code to set up 2FA on their authenticator app for the new knack app.

📘

When duplicating an app that includes records, all 2FA codes for the original app will be not work in the copied app... Users will need to set up new authentication codes for the duplicated app to gain secure access to those protected pages.

Related Resources

Need help? Contact our support team for assistance with 2FA configuration or troubleshooting.

Updated 1 day ago