Skip to main content
Private preview. fremforge is in private preview — invited customers only. Content is still subject to change. Request access →
Security
Two-factor auth

Two-factor authentication

Two-factor authentication (2FA) adds a second verification step when signing in with a local username and password. It protects your account if your password is stolen or leaked, because an attacker also needs access to your authenticator app to complete the login.

SSO users: if your org uses Okta, Entra ID, or another identity provider, you authenticate via that IdP, not via a local password. Your IdP’s MFA policy is the primary auth gate. Enabling 2FA on your local fremforge account adds a second layer on top of that, but it is not required when SSO is the login path. See OIDC SSO and SAML 2.0.

Set up 2FA

  1. Go to User settings → Security → Two-factor authentication (frem.sh/user/settings/security).
  2. Click Enroll.
  3. fremforge displays a QR code. Scan it with your authenticator app.
  4. Enter the six-digit code your app shows to confirm the pairing.
  5. Click Enable two-factor authentication.

Any TOTP-compatible app works. Recommended options that sync across devices or back up to an account, so you are not locked out if you lose your phone:

  • 1Password, Bitwarden, TOTP alongside passwords; cross-platform.
  • Microsoft Authenticator, Google Authenticator, first-party mobile authenticators with cloud backup.
  • Ente Auth, 2FAS, open-source, end-to-end-encrypted alternatives.

Avoid authenticators without a cross-device sync or export path; if the device is lost, the recovery codes (next section) are the only way back in.

Save your recovery codes

Immediately after enabling 2FA, fremforge displays 10 single-use recovery codes. Each code can be used once in place of a TOTP when your authenticator is unavailable.

Save these codes before you close the page. Options:

  • Print and store in a secure physical location.
  • Save in a password manager (1Password, Bitwarden, or similar).
  • Store in an encrypted file on a separate device.

Do not save them only in the device that has your authenticator app. If you lose that device, you lose both the TOTP and the codes.

After you navigate away from the setup page, the codes are not shown again. If you did not save them, regenerate a new set (see below) and store the new ones.

Sign in with a recovery code

If your authenticator is unavailable:

  1. Go to the login page at https://frem.sh/user/login.
  2. Enter your username and password as normal.
  3. On the 2FA prompt, click Use recovery code instead of entering a TOTP.
  4. Enter one of your saved recovery codes.
  5. Click Verify.

The code is consumed immediately and cannot be reused. You have at most 10 codes total. After using one, consider regenerating the set so you always have a full set in reserve.

Regenerate recovery codes

To generate a fresh set of codes:

  1. Go to User settings → Security → Two-factor authentication.
  2. Click Regenerate recovery codes.
  3. fremforge generates 10 new codes and displays them.
  4. Save the new codes immediately.

The old codes are invalidated the moment you regenerate. If you have unused old codes stored somewhere, they stop working. Only the newly generated set is valid.

If you lose both your authenticator and your recovery codes

Contact support@frem.sh with the subject line “2FA recovery request”. Include:

  • Your org slug
  • The email address registered to your account
  • A brief description of how access was lost

Support verifies your identity out-of-band and responds within one business day per the support SLA. See Support for business hours and response targets.

2FA and SSO

When SSO is enforced for your org, members sign in at frem.sh/user/login?redirect_to=/<org> via the IdP. The local fremforge 2FA step only applies when signing in with a local username and password at frem.sh/user/login. For most SSO-enrolled members, local login is a fallback path rather than the everyday path.

Org owners retain local credentials even when SSO is enforced (see SSO break-glass). If you are an org owner, keep 2FA enabled on your local account and store recovery codes somewhere safe, you may need local login precisely when the IdP is unavailable.

Cross-references

  • SSO break-glass, recovering org access when the IdP is unavailable
  • OIDC SSO, configure IdP-based sign-in for your org
  • SAML 2.0, SAML-based sign-in and how MFA interacts with it
  • Support, how to contact support and response time expectations