> ## Documentation Index
> Fetch the complete documentation index at: https://docs.ankra.ai/llms.txt
> Use this file to discover all available pages before exploring further.

# Account Security & 2FA

> Protect your Ankra account with TOTP authenticator apps, passkeys and security keys, and one-time recovery codes.

Ankra supports three second factors, managed from **Profile** → **Authentication**:

| Factor                       | What it is                                                                       |
| ---------------------------- | -------------------------------------------------------------------------------- |
| **Authenticator app (TOTP)** | Six-digit codes from any authenticator app                                       |
| **Passkeys / security keys** | WebAuthn — platform passkeys (Touch ID, Windows Hello) and roaming security keys |
| **Recovery codes**           | One-time codes (`XXXXX-XXXXX`) for when you lose access to other factors         |

## Enrolling

<Steps>
  <Step title="Open Authentication settings">
    Click your profile avatar → **Profile** → **Authentication**. The two-factor card shows your current status.
  </Step>

  <Step title="Add an authenticator app">
    Click **Set up authenticator app**, scan the QR code (or enter the secret manually), and confirm with a code. On confirmation you receive your recovery codes — store them somewhere safe; each works once.
  </Step>

  <Step title="Add a passkey (optional but recommended)">
    Click **Add passkey** and follow your browser's prompt. You can register multiple passkeys and security keys and remove them individually.
  </Step>
</Steps>

<Note>
  You cannot remove your last remaining factor while 2FA is active — add a replacement first.
</Note>

## Signing In with 2FA

After your password (or SSO), Ankra prompts for a second factor. Use a passkey with one tap, enter a TOTP code, or switch to **Use a recovery code instead**. Repeated failed attempts invalidate the pending login and you'll need to start over.

## Organisation-Enforced 2FA

Organisations can require 2FA for all members. If any of your organisations enforces it and you haven't enrolled, Ankra shows a **Secure your account to continue** screen at sign-in and blocks the platform until you complete enrollment.

## Managing 2FA from the CLI

The `ankra profile auth` commands mirror the UI:

```bash theme={null}
ankra profile auth status                     # current 2FA state
ankra profile auth totp start                 # begin TOTP enrollment
ankra profile auth totp confirm <code>        # confirm and receive recovery codes
ankra profile auth recovery-codes regenerate  # fresh set of recovery codes
ankra profile auth passkeys list              # registered passkeys
ankra profile auth passkeys open              # open the browser page to add one
```

Passkey registration itself needs a browser (WebAuthn), so `passkeys open` deep-links you to the profile page. CLI logins that hit an MFA challenge complete in the browser and hand control back to the terminal automatically. Full command details are in the [CLI reference](/reference/cli/profile).
