Nimriz

Two-factor authentication

Set up TOTP, manage recovery codes, and handle workspace 2FA enforcement.

Prerequisites

Before setting up two-factor authentication:

  • An active Nimriz profile with a verified email address.
  • An authenticator app installed on your mobile device. Compatible apps include:
    • Google Authenticator (iOS, Android)
    • Authy (iOS, Android, desktop)
    • 1Password (iOS, Android, desktop)
    • Microsoft Authenticator (iOS, Android)
    • Any TOTP-compatible authenticator app.
  • For workspace-level enforcement: you must be a Workspace Admin.

How TOTP works

Nimriz 2FA uses Time-based One-Time Passwords (TOTP). TOTP generates a new 6-digit code every 30 seconds using a shared secret key stored in your authenticator app. When you log in, Nimriz asks for the current code from your app. Since the code changes every 30 seconds and depends on the exact time, a captured code cannot be reused by an attacker.

The 6-digit code is valid for approximately 30 seconds. If your code is rejected, check that your device's clock is accurate (TOTP codes are time-sensitive-even a 60-second clock drift can cause failures).

Setting up TOTP

  1. Go to Dashboard → Settings → Profile.
  2. Find the Two-factor authentication section.
  3. Click Set up two-factor authentication.
  4. Nimriz displays a QR code.
  5. Open your authenticator app and scan the QR code. The app adds a new Nimriz entry and begins generating codes.
  6. Enter the current 6-digit code from your authenticator app to verify that setup worked correctly.
  7. Click Confirm.

Save your recovery codes before leaving this page. After enrollment is confirmed, Nimriz shows you a set of single-use recovery codes. Copy them and store them securely somewhere you can access even if your phone is unavailable (a password manager is ideal). These codes are your only option if you lose access to your authenticator app.

Recovery codes

Recovery codes are one-time-use backup sign-in codes for emergencies.

  • You receive one set of recovery codes immediately after TOTP enrollment.
  • Each code can only be used once-it is invalidated as soon as you use it.
  • Generating a new set of recovery codes immediately invalidates all previous unused codes. Do not generate new codes unless you need to (e.g., after using several and running low, or after a security concern).
  • Recovery codes are only displayed at generation time. Once you navigate away, they cannot be retrieved again.
  • Store them in a password manager or other secure offline location.

How to use a recovery code

At the 2FA challenge screen after login, click Use a recovery code instead of entering your authenticator code. Enter one of your unused recovery codes. You are signed in, and that code is permanently consumed.

After using a recovery code to sign in, immediately review your 2FA setup-if you used a code because you lost your authenticator app, reconfigure TOTP with your new device as soon as possible.

The login challenge

When 2FA is enabled on your account, every sign-in requires a second step:

  1. Enter your email and password (or use Google/SAML).
  2. After primary authentication succeeds, you are presented with a 2FA challenge screen.
  3. Enter either:
    • The current 6-digit code from your authenticator app, or
    • One unused recovery code.
  4. After the challenge is satisfied, you are signed in to the dashboard.

Workspace-level 2FA enforcement

Workspace Admins can require all members of a workspace to have TOTP enabled.

Before enabling enforcement

Before enabling enforcement, you can review member compliance:

  1. Go to Settings → Team.
  2. Find the 2FA Enforcement section.
  3. View which members currently have 2FA enabled and which do not.

This preview step lets you communicate the requirement to non-compliant members before enforcement takes effect.

Enabling enforcement

  1. Go to Settings → Team → Two-Factor Authentication.
  2. Click Enable enforcement.
  3. Confirm your choice.

Enforcement takes effect immediately upon confirmation. There is no grace period.

What happens to non-compliant members

When enforcement is active and a non-compliant member attempts to log in or switch to the enforced workspace:

  • They are blocked from accessing workspace content.
  • They are shown a remediation flow prompting them to set up TOTP before continuing.
  • Once they complete 2FA enrollment and pass the challenge, their access is immediately restored.

API access: Workspace-scoped API requests from non-compliant members are also rejected when the target workspace enforces 2FA.

Disabling enforcement

Disabling workspace enforcement does not remove any member's existing TOTP setup. It only removes the mandatory requirement. Members who already have 2FA enabled will continue using it-they just will not be blocked if they had not set it up.

Modifying or disabling your TOTP

To generate new recovery codes or to disable 2FA on your profile, Nimriz requires you to verify your identity first:

  1. Go to Settings → Profile → Two-factor authentication.
  2. Click the action you want (Regenerate recovery codes or Disable 2FA).
  3. Nimriz prompts for your current password and a valid authenticator code (or one unused recovery code).
  4. After verification, the action is applied.

This step-up verification protects against an attacker who has physical access to your unlocked browser session.

Troubleshooting

My 6-digit code is being rejected

  1. Clock drift-TOTP codes are time-dependent. If your device clock is off by more than 30–60 seconds, your codes may be invalid. Check your device's date and time settings and ensure automatic time synchronization is enabled.
  2. Wrong entry-confirm you are using the Nimriz entry in your authenticator app, not a code from a different account.
  3. Code expired-codes are valid for approximately 30 seconds. If you wait too long after the code generates, it may have already expired. Wait for the next code to generate and enter it immediately.

I lost my authenticator app

If you still have your recovery codes:

  1. At the 2FA challenge screen, click Use a recovery code.
  2. Enter one of your unused recovery codes.
  3. After signing in, immediately go to Settings → Profile → Two-factor authentication and reconfigure TOTP with your new device.

If you no longer have any valid recovery codes and cannot access your authenticator app, you must contact Nimriz support to request an account-level factor reset. Support will verify your identity through other means, remove your existing TOTP factor, and prompt you to set up a new one on your next login.

I am blocked from a workspace due to 2FA enforcement

The workspace you are trying to access requires 2FA and your profile does not yet have it enabled. Follow the on-screen remediation prompts to set up TOTP. Once you successfully enroll and complete the challenge, access to the workspace is restored automatically.

Workspace enforcement blocks access after I already had 2FA set up

This can happen if:

  • Your TOTP setup became invalid (e.g., you reset your phone without backing up the authenticator app).
  • An admin recently reconfigured the enforcement policy in a way that requires re-verification.

Use a recovery code to sign in, then reconfigure TOTP from Settings → Profile.

Related guides