Availability
Packages: Essential, Premium, Enterprise
User Roles: All roles
Multi-Factor Authentication (MFA) adds a second verification step to your sign-in. After entering your credentials, you confirm the login with a time-based code generated by an authenticator app. This protects your account even if someone knows your password.
How does Multi-Factor Authentication work?
MFA extends the standard sign-in with a second factor: a 6-digit code generated by an authenticator app on your smartphone. The MFA challenge itself is handled by the identity platform ZITADEL, which remberg is integrated with. remberg manages the setup, administration, and reset flow around it.
The exact login experience depends on whether you sign in with local credentials or through Single Sign-On (SSO). Depending on tenant configuration and login policy, MFA may also be enforced for all users.
Set up MFA (User)
You can enable MFA yourself from your account settings. You'll need an authenticator app on your smartphone (e.g. Google Authenticator, Microsoft Authenticator, or a comparable app).
Open "My user profile" in the main menu on the left
Click on the tab "Security"
Choose Enable Multi-Factor Authentication
A QR code is shown
Scan the QR code with your authenticator app
Enter the 6-digit code from the app
Confirm the setup
MFA is now active for future sign-ins
Sign in With MFA
Enter your usual credentials
If MFA is required, you'll be prompted for a 6-digit code
Open your authenticator app
Enter the current code
The login completes
π‘ Note: MFA is not necessarily requested on every interaction. When you are prompted again depends on session duration and the login policy.
If You Lose Access to Your Device
If you've lost your phone or switched devices and can no longer generate codes, an admin reset is the standard recovery path:
Contact an admin or your support contact.
The admin resets MFA for your account.
You can sign in again and re-enroll MFA with a new device.
Remove MFA Yourself (User)
As long as you still have access to your account, you can remove MFA from your account settings. Once you've lost access, only an admin reset is possible.
π‘ Note: You can only disable MFA yourself if MFA has not been enabled as a mandatory requirement for the system.
Supported Methods
Method | Status |
Authenticator app / TOTP code | Supported |
SMS codes | Not supported |
Email codes | Not supported |
Passkeys / WebAuthn | Not supported |
Hardware security keys | Not supported |
Recovery codes | Not supported |
Roles and Permissions
Users can register their own authenticator app and remove MFA themselves (My user profile > Security), as long as they still have access and MFA has not been made mandatory system-wide.
Admins can reset MFA for locked-out users (Settings > General > Users) and enable MFA as a system-wide requirement (Settings > Security > Authentication > Use Multi-factor authentication (MFA))
FAQ
Can we secure login with MFA?
Yes. MFA is available through an authenticator app and can be enforced depending on tenant configuration.
Can users manage MFA themselves?
Yes. Setup and removal are self-service as long as the user still has access to their account. If MFA is set to mandatory in the system settings, the user cannot disable MFA on their own.
What happens if a user is locked out?
The standard recovery path is an admin reset. After the reset, the user can sign in and re-enroll MFA with a new device.
Do you support SMS or passkeys?
Not in the current setup. Only authenticator app codes (TOTP) are supported.
Why am I suddenly being asked for a code again?
This is usually normal behavior and depends on session duration and the login policy - not a malfunction.
My code is rejected as invalid, what can I do?
The most common causes are an incorrectly entered code or a time drift on your device. Check the time synchronization on your smartphone and try again with the next code.