Skip to main content

Two-factor Authentication (2FA)

Introduction

Two-factor authentication (2FA) adds an extra layer of security to your Holistics account.

Once enabled, Holistics will request an extra code along with your email and password during the authentication process. This code will be generated by an authenticator app (e.g., Authy, Google Authenticator, Microsoft Authenticator, etc.) installed on your phone, ensuring that only you can access your account.

Note

This doc is about 2FA for password-based authentication only. For SSO and Google 2FA login methods, please visit the respective identity provider to set up.

2FA Setup (Users)

Enable 2FA

2FA for password authentication can be turned on by users or enforced by admins.

To set up 2FA, you can go to My Account > Security Settings > click Enable 2FA. Once enabled, you will then be required to use 2FA on every password sign-in. Don't forget to save backup codes to regain access in case you lose your authentication device.

Disable 2FA

If 2FA isn’t enforced for the entire organization, users can turn off 2FA themselves. Go to My Account > Security Settings > click Disable 2FA.

Disable 2FA - User

After the 2FA is disabled, the previous 2FA setup in the authenticator app and the old backup codes will no longer be valid.

If 2FA is enforced or in case you lose access to your account, only admins can disable 2FA for specific users on the User list page. If the organization still requires 2FA, those users have to set up 2FA again on the next sign-in.

Disable 2FA - Admin

2FA Recovery

Backup code

In case you lose access to your authentication device, use a backup code to temporarily get access to the Holistics. Click “Use a backup code to verify”.

Note: The backup code should be used for recovery purposes only. Don’t overuse it as a two-factor authentication.

Contact admin

If you also lose your backup codes, contact your admin to disable 2FA for you to temporarily log in to Holistics.

Contact Holistics support

If the admin loses their 2FA and backup codes, and is the only admin, they should email Holistics support. Please cc at least 3 admins or managers in your company. Holistics will verify the information before regaining access to the account.

2FA Enforcement Company-wide (Admins)

Admins can enforce 2FA for password-based authentication across the entire organization.

Enable 2FA Enforcement

To enable 2FA enforcement, simply go to Admin Settings > Security > Enable Enforce Two-factor Authentication for password-based login.

Once enabled:

  • All existing users will be notified via email and an in-app banner, prompting them to set up 2FA. They can postpone the setup for up to 14 days. After that, they will be logged out and required to complete the setup.
  • For newly invited users, they are required to set up 2FA during the activation time.
info
Login mechanisms
  • If the login mechanism of the organization is set to Password & Google login, enforcing password authentication with 2FA forces all users to set it up, regardless of their current login method.
  • If the login mechanism is set to Google Only or SSO Only, enforcing 2FA for password authentication won’t be available.

Monitor 2FA Enforcement Progress

The admin can go to the Users list page to monitor the 2FA status of all users in the organization.

Monitor 2FA progress

FAQs

Why am I forced to set up 2FA?

Your organization admin can turn on 2FA enforcement to deploy password login 2FA for all users in the organization. Once enforced, users will have 14 days to set up 2FA until this is required.

What should I do if I forget to save backup codes when setting up 2FA?

Currently, Holistics doesn’t support viewing backup codes after the 2FA setup flow. If you forget to save them, try to disable your current 2FA and set it up again right after that. Remember to save the backup codes in this setup.

What should I do if I can't authenticate the 2FA code when trying to sign in?

Please follow the guidelines in the 2FA recovery section to continue access to Holistics.

What should I do if I suspect that my account has been compromised?

If you think your account has an unauthorized access, please follow these guides:

Can I change the 2FA setting?

Currently, Holistics doesn’t support changing the current 2FA once it is set up. A workaround for this is to disable 2FA and set it up again right after that. This means that:

  • You can update the new 2FA to the current authenticator app or switch to a different one.
  • The new backup code list will be generated.

Can the admin turn on 2FA Enforcement for Google or SSO login methods?

No. It can’t be done on Holistics. 2FA enforcement setting on Holistics is just applied for the password authentication method.

For Google or SSO, please go to the respective identity providers to enforce 2FA for those login methods. These resources may come in handy for you:

Can the admin turn on 2FA Enforcement by groups or roles?

No. Currently, Holistics only supports 2FA enforcement for all users in the organization.

Can the admin turn off 2FA for specific users?

Yes. The admin can disable 2FA for specific users for recovery purposes only if they lose access to their authentication devices.

Let us know what you think about this document :)