Multi-Factor Authentication#

Multi-factor authentication (MFA) adds a second verification step to the login process. Even if a password is stolen, an attacker cannot access the account without also possessing the second factor. Novaza supports several MFA methods so users and administrators can pick the balance of security and convenience that fits their needs.

Supported Methods#

  • Authenticator app (TOTP) — time-based one-time codes generated by apps such as Google Authenticator, Microsoft Authenticator, 1Password, or Authy
  • Security keys (WebAuthn / FIDO2) — hardware keys such as YubiKey and platform authenticators such as Touch ID, Face ID, and Windows Hello
  • Recovery codes — one-time backup codes printed or saved when MFA is first enabled, used when the primary factor is unavailable

SMS-based codes are not supported — they are vulnerable to SIM-swap attacks and are actively discouraged.

Enabling MFA#

Individual users can enable MFA from Profile → Security:

  1. Click Add authentication method
  2. Choose authenticator app or security key
  3. Follow the enrollment flow (scan QR code, or register the hardware key)
  4. Save the recovery codes in a safe place

Users can enroll multiple methods — for example, a security key for daily use and an authenticator app as a backup.

Enforcing MFA#

Administrators can require MFA at the workspace level:

  • Optional — users choose whether to enable MFA
  • Required for admins — privileged roles must enroll
  • Required for everyone — all users must enroll within a grace period

Once MFA is required, any user without an enrolled factor is redirected to the enrollment screen on their next login and cannot access the workspace until enrollment is complete.

Recovery#

If a user loses their authenticator device or security key:

  • They can sign in with one of their recovery codes (each code works once)
  • If no recovery codes are available, an administrator can reset their MFA from the user detail page

A reset generates an audit log entry and notifies the user by email.

Session Lifetime#

MFA verification is remembered for the length of the user’s session. By default, sessions expire after 12 hours of inactivity or 7 days absolute — administrators can shorten these values on Enterprise plans.

Backward Password Policies LDAP & Active Directory Forward

© 2026 Novaza. All rights reserved.