Skip to main content

Protect your account with MFA

Turn on multi-factor authentication, save backup codes, and require MFA for everyone with an account role.

Goal

The strongest control you have over your TaskJuice account is a second sign-in factor. This page shows you how to turn on multi-factor authentication (MFA) for yourself, save the backup codes that let you in when your phone is unavailable, and (if you run an agency) require MFA for every staff member with an account role.

MFA applies to staff, the people who hold an account role: account-owner, account-admin, and account-member. Workspace clients who sign in to a branded portal are not staff and are never enrolled in account MFA.

When to use this

  • You want to add a second verification step to your own sign-in.
  • You lost or replaced the phone that holds your authenticator app and need new backup codes.
  • You are an owner or admin and want to require MFA across the whole agency.

Turn on MFA for yourself

MFA uses a time-based one-time password (TOTP) from an authenticator app. Any standard app works, including Google Authenticator, 1Password, and Authy. TaskJuice generates 6-digit codes on a 30-second cycle under the issuer name TaskJuice.

  1. Open your security settings

    Go to /account/security. The page is titled Security with the subtitle "Multi-factor authentication and recovery codes for your sign-in." Find the Multi-factor authentication card. A badge shows whether MFA is currently enabled or disabled.

  2. Start enrollment

    Select Set up MFA. A dialog opens with a QR code and the prompt "Scan the QR code with your authenticator app, then enter the 6-digit code it generates." A manual-entry key is shown next to the QR code in case your app cannot scan.

  3. Scan and verify

    Scan the QR code (or type the manual key) into your authenticator app. The app starts generating codes. Enter the current 6-digit code and select Verify and enable.

  4. Save your backup codes

    On success, a Save your backup codes dialog appears with 10 codes. Copy them somewhere safe before you close the dialog. Read the next section before you move on, because these codes are the only way back in if you lose your authenticator.

Once MFA is on, the card's buttons change to Regenerate backup codes and Disable MFA. Both actions require a current code from your authenticator to confirm.

Save and manage backup codes

Backup codes are your fallback when you do not have your authenticator app. TaskJuice issues exactly 10 codes, each 8 characters of lowercase letters and digits. Each code works once. The display dialog says: "Store these somewhere safe. Each code can be used once when you do not have access to your authenticator app."

Treat them like passwords. Store them in a password manager or another secure place, not in a note on the same phone that holds your authenticator. TaskJuice cannot show you these codes again after you close the dialog, because they are stored hashed and never in readable form.

To see how many you have left, check the Multi-factor authentication card on /account/security. It tracks your remaining backup codes along with whether MFA is enabled.

To replace your codes, select Regenerate backup codes and confirm with a current authenticator code. Regenerating creates a fresh set of 10 and the dialog warns: "Your existing backup codes will stop working immediately." Old codes stop working the moment you regenerate, so update wherever you stored them.

Regenerate after a single backup code is used

A backup code is single-use, but anyone who copied your list still holds the unused ones. If you ever use a backup code, or suspect your list leaked, regenerate the full set so the old codes stop working.

Sign in with a backup code

At sign-in, when your session requires MFA you land on the verify screen titled Two-Factor Authentication with the prompt "Enter the 6-digit code from your authenticator app."

If you do not have your authenticator, select Use a backup code. The screen switches to Enter Backup Code with the prompt "Enter one of your 8-character backup codes." Type one of your unused 8-character codes and select Verify. That code is now spent. Selecting Cancel signs you out and returns you to /login.

Disable MFA

Select Disable MFA on the security card and confirm with a current authenticator code. The dialog warns "Your agency policy may still require it," because turning off your personal MFA does not override an account-wide requirement. If your agency requires MFA, you will be prompted to set it up again, so disabling is only useful when no account policy is in force.

Require MFA for everyone (owners and admins)

If you run an agency, you can require every staff member to enroll in MFA. This policy lives at the account level and is separate from your personal setup.

Only an account-owner or account-admin can view or change it. Account members who open the page get a 404.

  1. Open agency security settings

    Go to /settings/security. The page is titled Security with the subtitle "Agency-wide security policy. Applies to everyone with an account role."

  2. Turn on the requirement

    In the MFA Enforcement card, turn on Require MFA for all staff. The helper reads "Requires every staff member on this agency to complete MFA setup before continuing." This is off by default.

  3. Set a grace period

    A Grace period (days) field appears once the requirement is on. It is the number of days staff have to enable MFA after you set the policy. The default is 7 days, the maximum is 30, and 0 means immediate: staff must enroll before they can continue.

After you turn the policy on, staff who have not yet enrolled see an MFA Required banner across the account app. It reads "Your agency requires MFA for all staff. You have N day(s) to set it up" with a Set it up now button. When the grace period runs out, the banner reads "Your agency requires MFA for all staff. Set it up now to continue accessing your account," and unverified staff cannot continue until they enroll.

Check who has enrolled and reset a staff member

The same page has a Staff MFA Status card listing everyone with an account role, with columns for Email, Role, MFA status, and Actions. If a staff member loses access (a stolen phone, for example), select Reset MFA for their row. The action warns "This staff member will need to re-enroll in MFA on next sign-in. They will be notified by email."

The roster shows the first 500 staff members. If your account is larger, a banner reads "Showing the first 500 staff members. Contact support if you need to see the full roster."

Verify it worked

  • On /account/security, the Multi-factor authentication card shows the enabled badge and a non-zero backup-code count.
  • Sign out and back in: you reach the Two-Factor Authentication verify screen and a code from your authenticator app lets you through.
  • If you set an account-wide policy, sign in as a staff member who has not enrolled and confirm the MFA Required banner appears.

Troubleshooting

"MFA is not enabled on your account." You tried to regenerate backup codes before enrolling. Set up MFA first, then regenerate from the security card.

"A valid verification code is required to regenerate backup codes." The authenticator code you entered was wrong or expired. Open your app, wait for a fresh 6-digit code, and try again. TaskJuice accepts a code within about 30 seconds of the current one to allow for clock drift.

"MFA is already enabled. Disable it first to re-enroll." You tried to enroll again while MFA is already on. To start fresh, select Disable MFA, confirm with a current code, then set it up again.

Your codes never match. TOTP depends on your device clock. If codes are consistently rejected, make sure your phone's time is set automatically, then enter a fresh code.

You are out of backup codes and lost your authenticator. A staff member cannot self-recover here. Ask an owner or admin to select Reset MFA for you on /settings/security. You then re-enroll on your next sign-in.

Was this helpful?
Collect client credentials safelyManage the data you contribute