Two-Factor Authentication — Secure Every Login
TOTP-based two-factor authentication is now available for all accounts. Team administrators can make it mandatory for every member of their team.
We've added TOTP-based two-factor authentication (2FA) to MyMonitor365. Any user can enable it from their account settings, and team administrators can make it mandatory for every member of their team.
Setup takes about 60 seconds: open My Account → Security, scan the QR code with any authenticator app (Google Authenticator, Authy, 1Password, and others all work), enter the 6-digit code to confirm, and save your recovery codes in a safe place. From that point, every login requires the authenticator code after your password.
When 2FA is mandatory for a team, users who have not enrolled are prompted to do so on their next login. They cannot access any part of the app until setup is complete. This makes it straightforward for security-conscious teams to enforce 2FA across the board without relying on individuals to opt in.
Recovery codes are generated at setup time and can be regenerated at any time from the Security settings page. Each code can only be used once. If a user loses their device, an administrator can reset their 2FA from the team user management page.
From a security standpoint, the TOTP verification endpoint is rate-limited to 5 attempts per 15-minute window to prevent brute-force attacks. Session IDs are regenerated on both successful password authentication and successful 2FA completion, preventing session fixation.