Two-Factor Authentication
Two-factor authentication (2FA) adds an extra layer of security by requiring agents to verify their identity using a time-based one-time password (TOTP) in addition to their regular login. 2FA in Askyura is scoped per tenant — each tenant maintains its own independent authenticator, so a security event in one tenant does not affect agent access in another tenant.
How 2FA Works in Askyura
Each tenant has its own isolated 2FA authenticator. This means:
- An agent who belongs to multiple tenants will have a separate authenticator for each tenant
- All workspaces under a tenant share that tenant's authenticator
- Setting up or verifying 2FA in Tenant A (including workspaces under that tenant) has no effect on the agent's 2FA status in Tenant B (including workspaces under that tenant)
Hierarchy rule: Tenant-level 2FA must be enabled before 2FA can be enabled for any workspace under that tenant.
If you attempt to disable tenant-level 2FA while one or more workspaces still have 2FA enabled, a warning will appear. You must disable 2FA on all workspaces first before disabling it at the tenant level.
Enabling 2FA
For tenant-level 2FA, navigate to the Tenant Dashboard and go to the Workspace menu. If you have the required permissions, you will find the toggle to enable or disable 2FA directly from that page.

For workspace-level 2FA, from the same Workspace menu, click View Details on the workspace you want to configure, then enable or disable 2FA from the workspace settings.
Tenant-level 2FA must be enabled first before you can enable 2FA for any workspace under that tenant.

First-Time 2FA Setup
When an agent switches to a workspace that requires 2FA and has not yet completed setup for that tenant, they will be prompted to complete the setup before proceeding.
Steps:
- A QR code is displayed directly on the screen
- Scan the QR code using an authenticator app (Google Authenticator, Authy, or similar)
- Enter the TOTP code from your authenticator app
- If the code is correct, setup is complete and you are redirected to the workspace
Backup Codes
After successfully completing 2FA setup, backup codes will also be generated. Store them somewhere safe — they are your recovery option if you lose access to your authenticator app.
- Each backup code can only be used once
- You can view your backup codes anytime from your profile settings
- Once all codes have been used, you can regenerate a new set
- Regenerating backup codes requires your current password for confirmation
Workspace Enforcement
Once tenant-level 2FA is enabled, authorized tenant agents can toggle the 2FA requirement per workspace independently.
- Agents switching to a workspace that requires 2FA will be prompted to complete setup if they haven't done so yet
- Agents who join a workspace that already has 2FA enabled are also subject to enforcement and must enter a TOTP code
- Agents moving from a workspace that requires 2FA to a workspace that does not require it can enter without being prompted
Recovery
Using a Backup Code
If you lose access to your authenticator app, you can recover using a backup code. For details on how backup codes are generated and managed, see First-Time 2FA Setup.
- On the 2FA verification prompt, select the recovery option
- Enter one of your backup codes
- If valid, you are granted access to the workspace automatically
