Two-factor authentication adds a second step to sign-in. Even if your password is leaked, an attacker cannot access your workspace without the rotating code from your authenticator app. We strongly recommend enabling two-factor authentication on every account that has access to production workloads.

Prerequisites

  • A Miget account with a password set, or a passwordless account that has access to its primary email.
  • An authenticator app on your phone or password manager. Compatible apps include 1Password, Bitwarden, Google Authenticator, Microsoft Authenticator, Authy, and any other app that supports TOTP (RFC 6238).

Enable two-factor authentication

  1. Sign in to app.miget.com and open your account settings.
  2. Open the Security tab.
  3. Click Enable two-factor authentication.
  4. Scan the QR code with your authenticator app, or copy the secret key into the app manually.
  5. Enter the 6-digit code shown by your authenticator app to confirm the setup.
  6. Save the recovery codes that Miget shows you. Store them in a password manager or another safe location. Each code can only be used once.
After confirmation, two-factor authentication is active immediately. The next time you sign in, Miget will ask for a 6-digit code after your password.

Sign in with two-factor authentication

  1. Enter your email and password as usual.
  2. When prompted, open your authenticator app and enter the current 6-digit code for Miget.
  3. If you cannot reach your authenticator, click Use a recovery code and enter one of the codes you saved when enabling two-factor authentication.

Recover access if you lose your device

If you lose access to the device with your authenticator app:
  1. Use one of the recovery codes you saved when you enabled two-factor authentication. Each code works once and is consumed on use.
  2. After you sign in, go back to Security and click Reset two-factor authentication to regenerate the secret on a new device. Save a fresh set of recovery codes.
If you do not have any recovery codes left, contact support at support@miget.com from the email address on the account. Recovery requires identity verification and may take up to one business day.

Enforce two-factor authentication across a workspace

Workspace admins can require two-factor authentication for every member of the workspace. Once enforcement is active, members without two-factor authentication enabled are prompted to set it up before they can access workspace resources.
  1. Open the workspace and go to Settings > Security.
  2. Find the Two-Factor Authentication Enforcement section and toggle it on.
  3. Pick an Enforcement timing: Immediately, In 3 days, In 7 days, In 14 days, or In 30 days. The timing is the grace period members have to enroll before they are blocked from the workspace.
  4. Click Update to save.
The same panel shows an aggregate count of enrolled members (for example, 3 of 8 members have two-factor authentication enabled), so you can pick a grace period that gives the rest of the team time to enroll. When enforcement is active:
  • Existing members who do not have two-factor authentication configured are blocked from workspace resources after the grace period expires.
  • New invites must complete two-factor authentication enrollment before they can use the workspace.
Turning enforcement off does not remove anyone’s two-factor authentication configuration. Each member remains enrolled until they disable it on their own account.

Disable two-factor authentication

  1. Open Account settings > Security.
  2. Click Disable two-factor authentication.
  3. Confirm with your current 6-digit code or a recovery code.
You can re-enable two-factor authentication at any time. We do not recommend disabling two-factor authentication on accounts with production access.

Best practices

  • Enable two-factor authentication on every account that has access to a workspace, not just admin accounts.
  • Store recovery codes in a password manager, not in plaintext on disk.
  • If you share an account (you should not), rotate the secret as soon as ownership changes.
  • Combine two-factor authentication with a strong, unique password. It is a second factor, not a replacement for password hygiene.