Skip to main content
Ankra supports three second factors, managed from ProfileAuthentication:
FactorWhat it is
Authenticator app (TOTP)Six-digit codes from any authenticator app
Passkeys / security keysWebAuthn — platform passkeys (Touch ID, Windows Hello) and roaming security keys
Recovery codesOne-time codes (XXXXX-XXXXX) for when you lose access to other factors

Enrolling

1

Open Authentication settings

Click your profile avatar → ProfileAuthentication. The two-factor card shows your current status.
2

Add an authenticator app

Click Set up authenticator app, scan the QR code (or enter the secret manually), and confirm with a code. On confirmation you receive your recovery codes — store them somewhere safe; each works once.
3

Add a passkey (optional but recommended)

Click Add passkey and follow your browser’s prompt. You can register multiple passkeys and security keys and remove them individually.
You cannot remove your last remaining factor while 2FA is active — add a replacement first.

Signing In with 2FA

After your password (or SSO), Ankra prompts for a second factor. Use a passkey with one tap, enter a TOTP code, or switch to Use a recovery code instead. Repeated failed attempts invalidate the pending login and you’ll need to start over.

Organisation-Enforced 2FA

Organisations can require 2FA for all members. If any of your organisations enforces it and you haven’t enrolled, Ankra shows a Secure your account to continue screen at sign-in and blocks the platform until you complete enrollment.

Managing 2FA from the CLI

The ankra profile auth commands mirror the UI:
ankra profile auth status                     # current 2FA state
ankra profile auth totp start                 # begin TOTP enrollment
ankra profile auth totp confirm <code>        # confirm and receive recovery codes
ankra profile auth recovery-codes regenerate  # fresh set of recovery codes
ankra profile auth passkeys list              # registered passkeys
ankra profile auth passkeys open              # open the browser page to add one
Passkey registration itself needs a browser (WebAuthn), so passkeys open deep-links you to the profile page. CLI logins that hit an MFA challenge complete in the browser and hand control back to the terminal automatically. Full command details are in the CLI reference.