MFA and account protection

Enabling multi-factor authentication for your account or enforcing it org-wide, plus recovery codes and what to do if you lose your device.

Updated 2 Jun 2026

Multi-factor authentication (MFA) makes account takeover dramatically harder. Even if a password is leaked, a second factor stops the attacker. Clment supports TOTP (Google Authenticator, Authy, 1Password, etc.) and backup codes.

Enabling MFA on your account

  1. Settings → Security → Enable multi-factor authentication.
  2. Scan the QR code with your authenticator app, or copy the secret manually.
  3. Enter the 6-digit code your app generates.
  4. Save the backup codes that appear next — these are your fallback if you lose the device.

That’s it. Next time you sign in (after your current session expires), Clment asks for a TOTP code in addition to your password.

Backup codes — read this first

Backup codes are one-time-use 8-digit codes that work in place of a TOTP code. You get 10 of them when you enable MFA. Store them somewhere your authenticator app can’t reach:

  • Password manager (1Password, Bitwarden, etc.) — a dedicated “MFA backup” note.
  • Printed copy in a safe — old-school but bulletproof.
  • NOT in your phone’s photos, screenshots folder, or on your laptop’s desktop.

Once you use a backup code, it’s invalidated. You can generate a fresh set any time from Settings → Security → Regenerate backup codes — but the old ones stop working.

What if I lose my phone?

You have two options, in order of preference:

  1. Use a backup code to sign in, then disable MFA, set up a new device, re-enable MFA. About 5 minutes total.
  2. Contact support if you have no backup codes. We can verify your identity via the account email + a few security checks and reset MFA.

This is why backup codes matter — without them, regaining access requires a support round-trip that can take a business day. Save the codes properly when you first enrol.

Enforcing MFA org-wide

Admins can require MFA for every user in the org:

Settings → Security → Require MFA → On.

Effects:

  • Existing users without MFA are walked through enrollment on their next sign-in. They can’t access any data until enrollment completes.
  • New users must enroll MFA during their first sign-in.
  • SSO-only users are exempt — their identity provider’s MFA policy applies. Forcing a second TOTP on top of an IdP’s existing MFA is redundant.

The exemption is important: if you require SSO via Microsoft Entra (and Entra requires MFA), don’t also turn on Clment’s Require-MFA — your users would get prompted twice.

Recovery code use cases

Beyond device loss, backup codes are useful for:

  • Travel — if you’re going somewhere without your usual phone (a remote site, hiking, etc.) and want to access Clment on a borrowed laptop, take a printed backup code.
  • Phone-on-fire scenario — your phone crashed mid-day and you need to sign in immediately.
  • Setup transition — moving from one authenticator app to another, a backup code bridges the gap.

Disabling MFA on your own account

Settings → Security → Disable multi-factor authentication.

You’ll be asked to enter your password and either a TOTP code or a backup code to confirm.

If org policy Require MFA is on, you can’t disable MFA — you can only re-enroll with a different device.

What MFA protects against (and doesn’t)

Protects against:

  • Stolen / leaked passwords.
  • Credential-stuffing attacks (re-used password from another breach).
  • Phishing that doesn’t account for a second factor (most kit-based attacks).

Doesn’t protect against:

  • AiTM phishing that proxies your live session and steals the cookie after MFA.
  • Device theft with active session — if someone has your unlocked laptop and you’re already signed in, MFA isn’t between them and your data. Lock your laptop.
  • Insider threats — MFA doesn’t help if the threat is someone who already has legitimate access.

See also

Still have questions?

Instant article search