Sign in

MFA enrollment

A user enrolls in TOTP-based multi-factor authentication by scanning a QR code with an authenticator app and verifying a code.

When this happens: You go to Profile — Security — Enable MFA, or is forced to enroll due to role-based enforcement.

Step by step

  1. 1

    Go to Profile — Security — Enable MFA.

    EasyCRM generates a cryptographically random TOTP secret (160-bit). EasyCRM shows a QR code encoding otpauth://totp/CRM:{username}?secret={base32-secret}&issuer=CRM and a manual-entry key (base32).

  2. 2

    Scans the QR code with their authenticator app (or enters the manual key).

  3. 3

    Enter the current 6-digit TOTP code displayed by the authenticator app.

    EasyCRM checks the TOTP code with ±1 time-step tolerance. Code is valid. EasyCRM stores the encrypted TOTP secret in the database. EasyCRM generates 10 one-time recovery codes (each 8 alphanumeric characters). EasyCRM shows the recovery codes with instructions: Save these codes in a safe place. Each code can only be used once. They allow you to log in if you lose access to your authenticator app.

  4. 4

    Acknowledges they have saved the codes (checkbox: I have saved my recovery codes).

    Hashes (bcrypt) each recovery code and stores the hashes. Activates MFA on the account (). EasyCRM shows a confirmation: MFA has been successfully enabled.

Other paths

Forced enrollment (role enforcement)

During login, detects that MFA is enforced for the your role but not yet enrolled. EasyCRM takes you directly to step 2 with a banner: Your organization requires multi-factor authentication. Please complete setup to continue Flow continues from step 3. User cannot navigate away until enrollment is complete.

User cancels enrollment

Click Cancel at any point before step 10. Discards generated secret and codes. MFA remains disabled. EasyCRM returns user to Profile — Security. If enrollment was forced () — cancellation is blocked; you must complete enrollment or log out.

If something goes wrong

Invalid verification code

If code is invalid. EasyCRM shows: Invalid code. Please make sure you entered the latest code from your authenticator app and try again Can retry entering the code. QR code remains visible. Secret is not regenerated.

Qr code scanning failure

Cannot scan QR code (camera issue, etc.). Uses the manual-entry key displayed below the QR code. Enters it into the authenticator app manually. Flow continues from step 5.

Good to know

  • TOTP secret encrypted at rest using AES-256-GCM with key stored in key vault.
  • Recovery codes are single-use; used codes are invalidated immediately.
  • MFA enrollment is mandatory before any further application access for enforced roles.