TOTP help

What is a "prover"?

A prover stores a secret and knows the correct time.  Smart phone prover apps are a popular choice.

Which prover should I use?

Any prover is good but it must use these parameters:

T0
1970-01-01+00:00:00+0
TI
30
A
HMAC-SHA1
N
6

Most do, so give it a go with what you find.

If you're using Android, one option is:

Otp-authenticator OTP Authenticator

..which is available from F-Droid or the Play Store.

What if the prover is lost?

Some options to plan for this scenario are:

If you are stuck then get in touch with us but please be prepared to prove that you are authorised to access the account.

Can I enable both SMS MFA and TOTP at the same time?

Not at this time.  If both are enabled then only TOTP will be required for sign in.

Why does the "Enabled" link on the Settings page lead to the TOTP set up page?

For teams that need to configure multiple devices, the link to the set up page remains even after TOTP has been set up.

Can I generate a new secret?

No, because an unauthenticated user sitting down at a signed-in session could lock out all devices by re-generating the secret.

Can I turn off TOTP?

No, because an unauthenticated user sitting down at a signed-in session could disable TOTP.

If you need to disable TOTP for your account then please get in touch with us but please be prepared to prove that you are authorised to access the account.