Multi-factor authentication adds a second layer of security to user accounts beyond the password. MFA is a fundamental security control required by every compliance framework LowerPlane supports.

Why MFA Matters

MFA is consistently among the most effective controls against unauthorized access. It is also one of the first things auditors verify:
FrameworkMFA Requirement
ISO 27001A.9.4.2 — Secure log-on procedures including multi-factor
SOC 2CC6.1 — Logical access security with multi-factor authentication
HIPAA164.312(d) — Person or entity authentication
GDPRArticle 32 — Appropriate technical and organizational measures
PCI-DSS8.3 — Secure all individual non-console administrative access with MFA

Enabling MFA for Your Account

Each user can enable MFA from their personal account settings.
1

Open account settings

Click your avatar or name in the top right corner and select Account Settings or Security.
2

Click Enable MFA

In the security section, click Enable Multi-Factor Authentication.
3

Scan the QR code

Open your authenticator app (Google Authenticator, Authy, 1Password, or any TOTP-compatible app) and scan the QR code displayed on screen.
4

Enter the verification code

Type the 6-digit code from your authenticator app to verify the setup is working.
5

Save backup codes

LowerPlane generates a set of one-time backup codes. Save these in a secure location. You will need them if you lose access to your authenticator app.
Store your backup codes securely (password manager or printed in a safe location). If you lose access to your authenticator app and do not have backup codes, you will need an organization admin to reset your MFA.

Supported Authenticator Apps

LowerPlane uses the Time-based One-Time Password (TOTP) standard, which is compatible with:
  • Google Authenticator (iOS, Android)
  • Authy (iOS, Android, Desktop)
  • 1Password (built-in TOTP support)
  • Microsoft Authenticator (iOS, Android)
  • Bitwarden (built-in TOTP support)
  • Any other TOTP-compatible authenticator app
SMS-based MFA is not supported. TOTP authenticator apps are more secure than SMS, which is vulnerable to SIM-swapping and interception attacks.

Backup Codes

Backup codes are single-use codes that let you sign in when your authenticator app is unavailable:
  • LowerPlane generates a set of backup codes when you enable MFA.
  • Each code can only be used once.
  • You can regenerate a new set of codes at any time from your account settings (this invalidates the previous set).
  • Use a backup code in place of the TOTP code during sign-in.

Organization-Wide MFA Enforcement

Admins and Owners can require MFA for all users in the organization.
1

Navigate to Settings > Security or MFA

Open the security settings page.
2

Enable MFA enforcement

Toggle Require MFA for all users to on.
3

Set the grace period

Optionally set a grace period (e.g., 7 days) to give existing users time to set up MFA before enforcement takes effect.
4

Save the setting

Click Save. Users without MFA will be prompted to set it up on their next login.
When MFA is enforced:
  • Users who have not enabled MFA will be required to set it up before accessing any other page.
  • New users will be prompted to configure MFA during their first login.
  • The enforcement cannot be bypassed by individual users.
Enable MFA enforcement early in your compliance journey. It is much easier to roll out MFA when your team is small. Waiting until audit time creates unnecessary urgency.

Monitoring MFA Status

Admins can view MFA enrollment status for all users:
  1. Go to Settings > Users.
  2. The user list includes a 2FA Status column showing whether each user has MFA enabled.
  3. Filter the list by MFA status to identify users who have not yet enrolled.

Resetting a User’s MFA

If a user loses access to their authenticator app and backup codes:
  1. An admin navigates to Settings > Users.
  2. Find the affected user and click Reset MFA.
  3. Confirm the reset. The user’s MFA is disabled.
  4. The user must set up MFA again on their next login (immediately if enforcement is active).
Verify the user’s identity through a secondary channel (phone call, in-person) before resetting their MFA. An unauthorized MFA reset could allow account takeover.

MFA and Compliance Evidence

LowerPlane automatically generates evidence related to MFA:
  • MFA enrollment rate — Percentage of users with MFA enabled (target: 100%)
  • MFA enforcement policy — Whether organization-wide enforcement is active
  • MFA enrollment events — Timestamps of when each user enabled MFA
These data points feed into automated compliance tests and are available for audit packages.

Best Practices

  • Enforce MFA for all users without exception. A single account without MFA is a compliance gap.
  • Use authenticator apps, not SMS. TOTP apps are more secure and are the industry-standard recommendation.
  • Require backup codes to be saved. Remind users during onboarding to store backup codes securely.
  • Combine MFA with SSO. When SSO is configured, MFA can be enforced at the identity provider level for an additional layer of security.
  • Review MFA status in access reviews. Include MFA enrollment as a check in your quarterly access review process.