Skip to main content

Multi-Factor Authentication (MFA)

Add an extra layer of security to your CastellanAI account with multi-factor authentication.

Why Use MFA?

Multi-factor authentication significantly enhances your account security by requiring a second form of verification beyond your password. Even if your password is compromised, unauthorized access is prevented.

MetricValue
Risk Reduction99.9% reduction in account compromise risk
Required ForAdministrator and Security Analyst roles
MethodsMultiple authentication methods supported

Supported MFA Methods

Use a time-based one-time password (TOTP) app for secure, offline authentication codes.

Supported Apps:

  • Microsoft Authenticator
  • Google Authenticator
  • Authy
  • 1Password

Hardware Security Key

Use a physical security key (FIDO2/WebAuthn) for the highest level of security.

Supported Keys:

  • YubiKey (5 Series)
  • Google Titan Security Key
  • Feitian ePass FIDO
  • Any FIDO2-compatible key

SMS or Email (Backup Only)

Receive verification codes via SMS or email. Less secure than other methods, recommended for account recovery only.

warning

SMS/Email should be used as a backup method only. Prefer authenticator apps or security keys for primary authentication.

Setting Up MFA

Step 1: Navigate to Profile Settings

Go to your profile page and click the "Security" tab to access MFA settings.

Navigation Path: Profile → Security → Multi-Factor Authentication

Step 2: Choose Authentication Method

Select your preferred MFA method. You can configure multiple methods for redundancy.

tip

Best Practice: Set up at least two methods (e.g., authenticator app + security key)

Step 3: Complete Setup Process

Follow the on-screen instructions to complete setup for your chosen method:

For Authenticator App:

  1. Scan the QR code with your authenticator app
  2. Enter the 6-digit code from your app
  3. Save your backup codes in a secure location

For Security Key:

  1. Insert your security key when prompted
  2. Touch the key to activate it
  3. Provide a nickname for the key

Step 4: Save Backup Codes

Download and securely store your backup codes. These are one-time use codes for account recovery.

danger

Store backup codes in a secure location (e.g., password manager). Without them, account recovery requires administrator assistance.

Managing MFA Devices

View Active Devices

See all MFA devices associated with your account, including last used date and device nickname.

Profile → Security → Manage Devices

Add Additional Devices

Configure multiple authentication methods for redundancy. Recommended: 2-3 methods.

Profile → Security → Add New Method

Remove Devices

Remove lost or compromised devices. You must have at least one active MFA method (unless you're a Viewer).

Profile → Security → Manage Devices → Remove

Regenerate Backup Codes

Generate new backup codes if you've used all existing codes or suspect they've been compromised.

Profile → Security → Regenerate Backup Codes

Troubleshooting MFA Issues

"Invalid code" error

  • Ensure your device time is synchronized (TOTP relies on accurate time)
  • Wait for the next code cycle (codes refresh every 30 seconds)
  • Check that you're entering the code from the correct account

Lost authenticator device

  • Use a backup code to log in
  • Remove the lost device from your account
  • Configure a new MFA method
  • If no backup codes available, contact your administrator

Security key not recognized

  • Ensure your browser supports WebAuthn (Chrome, Firefox, Edge, Safari 14+)
  • Try a different USB port
  • Check if the key requires a firmware update
  • Verify the key is FIDO2-compatible

Account locked after failed attempts

  • Wait 15 minutes for automatic unlock
  • Use the "Unlock Account" link in the login error message
  • Contact your administrator if unable to unlock

MFA Enforcement Policies

CastellanAI enforces MFA requirements based on user roles and access levels:

RoleMFA RequiredGrace Period
AdministratorRequired7 days after account creation
Security AnalystRequired7 days after account creation
Incident ResponderRecommended30 days after account creation
ViewerOptionalNot enforced

What's Next?