Two-Factor Authentication (2FA)

ClickHelp provides Two-Factor Authentication (2FA) to enhance account security by requiring two distinct forms of verification: your password and a time-sensitive code from an authenticator app.

With 2FA enabled, you'll need to enter a code from Google Authenticator or Microsoft Authenticator, or another TOTP-compatible app such as Duo Mobile, Authy, or LastPass, along with your password to log in. 

If you log into ClickHelp using SSO or login tokens, 2FA is not needed.

This feature is available with the Enterprise security add-on for the Growth and Professional pricing plans.

To get started with enabling 2FA, continue reading the steps below.

Global 2FA Settings

Admins can manage 2FA settings under Settings → Security → Two-factor authentication. Options include:

  • Enable/disable 2FA for the entire portal (disabled by default).
  • Set the max failed authentication attempts before an account is locked (default: 5).

Global two-factor authentication settings.

Admins should ensure that users store their backup codes securely.

Two-factor authentication is available only to Contributor accounts. Power Readers cannot use two-factor authentication. 

Setting Up 2FA for a User Account

Enabling 2FA

  1. Click your profile icon and go to My Profile → General → Two-factor authentication
    Setting up two-factor authentication in the user profile.
  2. Open an authenticator app of choice (e.g., Google Authenticator, Microsoft Authenticator).
  3. Choose one of the following setup methods:
    • Scan a QR code.
      Scan the QR code for the authentication app configuration.
    • Or Enter a setup key manually into your authenticator app.
      Use the setup key to manually configure the authenticator app
  4. Copy the 6-digit code generated by the app.
  5. Paste or type it into the Enter authentication code field and click Enable 2FA.
    Enter the authentication code from your app.

Success! 2FA is now enabled for your account.

Only individual users can enable 2FA for their own accounts — administrators cannot enable 2FA on behalf of specific users.

If 2FA is disabled globally, users will still see the 2FA setup option in their profiles, but they won’t be able to configure it. If 2FA was previously enabled and then disabled, any existing authentication codes will be ignored during login. 

Two-factor authentication in the user profile, if it is disabled portal settings..

Disabling 2FA

  1. Click your profile icon and go to My Profile → General → Two-factor authentication
  2. Click Disable 2FA
    Disabling 2FA in the user profile.
  3. Click OK.
Admins can forcibly disable 2FA for any user if needed (e.g., if a user loses access to their authenticator app).

Reset Connection

  1. Click Reset 2FA to generate a new key.
    • After resetting, the old key can't be accessed anymore.
      Reset two-factor authentication.
  2. Set up 2FA again using the new key if needed.

Logging in with 2FA

If 2FA is enabled for a user:

  1. On the login page, enter your username and password.

  2. Enter the code from your authenticator app to complete authentication.
    Enter the authentication code to log in to the portal with 2FA enabled.

    The system accepts authentication codes from the current, previous, and next 30-second window.
  3. You're logged in!

Handling Account Lockout

  • After 5 failed authentication attempts, the user account will be locked.

  • Admins can manually unlock accounts as needed by going into the Contributor's profile and clicking Enable user. After that, they can optionally disable 2FA for the user in their 2FA settings. Enable the user if it is disabled.

You can configure the number of allowed attempts before lockout in Settings → Security → Two-factor authentication.