How To Use
Two-Factor Authentication
Enable TOTP-based 2FA to add an extra layer of security to your CAS accounts.
1. How 2FA Works
CAS uses Time-based One-Time Passwords (TOTP) for two-factor authentication. After entering your password, you provide a 6-digit code from your authenticator app.
Password
Something you know
COMBINED WITH
TOTP Code
Something you have
Compatible apps: Google Authenticator, Authy, Microsoft Authenticator, 1Password
2. Enabling 2FA
Navigate to Security Settings
Go to User Portal → Profile → Security or Admin → Users → Edit → 2FA
Scan the QR Code
Open your authenticator app and scan the displayed QR code. If you can't scan, use the manual secret key.
Enter Verification Code
Enter the 6-digit code from your authenticator app to confirm setup.
Save Recovery Codes
Download or copy the backup recovery codes. Store them securely — they're your fallback if you lose your device.
3. Logging In with 2FA
When 2FA is enabled, the login flow adds an extra step:
Enter Credentials
Email and password as usual
2FA Challenge
Enter 6-digit TOTP code
Access Granted
Full JWT token issued
4. Recovery Codes
Each recovery code is single-use. If you've lost your authenticator device:
- 1. On the 2FA challenge screen, click "Use Recovery Code"
- 2. Enter one of your saved recovery codes
- 3. After login, immediately set up 2FA again with a new device
If you've lost both your device and recovery codes, contact an admin to disable 2FA on your account.
5. API Integration
When a 2FA-enabled user authenticates via API, the flow uses a temporary token:
// Response from POST /api/sso/token
{
"requires_2fa": true,
"temp_token": "temp_eyJhbGci..."
}POST /api/sso/verify-2fa
{
"temp_token": "temp_eyJhbGci...",
"totp_code": "123456"
}{
"success": true,
"token": "eyJhbGciOiJIUzI1NiIs..."
}