| Factor | What it is |
|---|---|
| Authenticator app (TOTP) | Six-digit codes from any authenticator app |
| Passkeys / security keys | WebAuthn — platform passkeys (Touch ID, Windows Hello) and roaming security keys |
| Recovery codes | One-time codes (XXXXX-XXXXX) for when you lose access to other factors |
Enrolling
Open Authentication settings
Click your profile avatar → Profile → Authentication. The two-factor card shows your current status.
Add an authenticator app
Click Set up authenticator app, scan the QR code (or enter the secret manually), and confirm with a code. On confirmation you receive your recovery codes — store them somewhere safe; each works once.
You cannot remove your last remaining factor while 2FA is active — add a replacement first.
Signing In with 2FA
After your password (or SSO), Ankra prompts for a second factor. Use a passkey with one tap, enter a TOTP code, or switch to Use a recovery code instead. Repeated failed attempts invalidate the pending login and you’ll need to start over.Organisation-Enforced 2FA
Organisations can require 2FA for all members. If any of your organisations enforces it and you haven’t enrolled, Ankra shows a Secure your account to continue screen at sign-in and blocks the platform until you complete enrollment.Managing 2FA from the CLI
Theankra profile auth commands mirror the UI:
passkeys open deep-links you to the profile page. CLI logins that hit an MFA challenge complete in the browser and hand control back to the terminal automatically. Full command details are in the CLI reference.