CostLensMulti-Factor Authentication (MFA)

Multi-Factor Authentication (MFA)

Add a second layer of security to your CostLens account with a TOTP authenticator app or email one-time codes.

Updated June 20265 min read

Multi-Factor Authentication adds a second verification step after your password. Even if your password is stolen, an attacker cannot sign in without the code from your phone or email.

Setting up MFA

CostLens uses TOTP — the same standard used by Google, GitHub, and most banks. Any TOTP-compatible app works: Google Authenticator, Authy, Microsoft Authenticator, 1Password, Bitwarden.

Open Security settings

Click your avatar or name in the top-right → SettingsSecurity, then click Enable MFA under Two-Factor Authentication.

Scan the QR code

Open your authenticator app and scan the QR code. If you cannot scan it, click "Can't scan? Enter code manually" and type the secret key into your app instead.

Confirm with a code

Your app shows a 6-digit code that refreshes every 30 seconds. Enter the current code and click Confirm.

Save your backup codes

CostLens displays 8 one-time backup codes. Copy or print them now — they will not be shown again. Store them somewhere safe, outside your phone.

You have up to one hour to complete setup after scanning the QR code. If the session expires, start again — this is safe and will not create duplicate entries in your app.


Logging in with MFA

Once MFA is enabled, every login adds a verification step after your password:

  1. Enter your email and password as usual.
  2. CostLens redirects you to the Verification page.
  3. Open your authenticator app, enter the current 6-digit code, and click Verify.

Codes refresh every 30 seconds. A code that is 1–2 seconds old will still work — you do not need to wait for the next cycle. After 10 failed attempts in quick succession, verification locks temporarily to protect your account.


Email OTP

If you do not have your phone during login, you can receive a one-time code by email instead.

On the Verification page, click "Send code to my email". A 6-digit code is sent to your registered address within seconds. Each code is valid for 5 minutes and can only be used once. You can request up to 3 new codes per 15 minutes.

Check your spam folder if the email does not arrive within 30 seconds.


Backup Codes

Your 8 backup codes are your emergency access method if you lose your phone or cannot reach your authenticator app.

On the Verification page, click "Use a backup code", enter one of your saved 8-digit codes, and click Verify.

Each code works once only and is permanently deleted after use. Once all 8 are consumed, generate a new set by disabling and re-enabling MFA.

Store backup codes off your phone

If you lose your phone, you lose your authenticator app and anything stored on it. Keep backup codes somewhere separate — a password manager, an encrypted note, or a printed sheet in a secure location.

Locked out with no backup codes and no phone?

Contact your CostLens organisation administrator. They can assist with account recovery through a verified process.


Trusting a Device for 30 Days

After a successful MFA verification, check "Trust this device for 30 days" before clicking Verify. For the next 30 days, the same browser on the same device skips the MFA challenge entirely and goes straight to your dashboard.

Trust is tied to the browser and its cookie store. Clearing cookies, switching browsers, or opening an incognito window will require MFA again. Disabling MFA revokes all trusted devices immediately.

Suspected compromise

If you believe a trusted device has been compromised, disable MFA and re-enable it — this invalidates all trusted-device cookies at once.


Disabling MFA

Go to Settings → Security, click Disable MFA, and confirm. Your account returns to password-only login and all trusted devices are cleared.

If your organisation has mandatory MFA enabled, disabling it will block you from CostLens once your grace period expires. See When your organisation requires MFA below.


When Your Organisation Requires MFA

Admins can enforce MFA for everyone in the organisation. When mandatory MFA is turned on:

  • All users without MFA configured see a countdown banner on every page showing how many days remain in the grace period (usually 7 days).
  • You can use CostLens normally during the grace period.
  • After the grace period expires, users without MFA are blocked from the platform until they complete setup.

Admins are subject to the same requirement — set up your own MFA before enforcing it org-wide.

Regaining access after the grace period

Follow the steps in Setting up MFA above. Access is restored immediately once setup is complete.


Frequently Asked Questions

My 6-digit code says "invalid" but I typed it correctly. The most common cause is your phone's clock being slightly off. Open your phone's date/time settings, enable Set time automatically, and try again with the freshly generated code.

I got a new phone. How do I transfer MFA? Use your old phone's Export or Transfer accounts option before you lose access to it — Authy and Google Authenticator both have this. If you already lost your old phone, use a backup code to log in, then disable and re-enable MFA with your new phone.

I deleted my authenticator app by accident. Use one of your backup codes to log in. Then go to Settings → Security, disable MFA, and set it up again.

Can I use MFA on multiple devices? Yes. Apps like Authy, 1Password, and Bitwarden sync across devices. During setup, you can also scan the same QR code into multiple apps — all will generate valid codes simultaneously.

Does CostLens store my authenticator secret? Yes, but it is stored encrypted at rest and never transmitted in plain text. It is only used to validate the codes you enter.

What happens to trusted devices if I change my password? Trusted devices are unaffected by a password change. Only disabling MFA revokes them.

CostLens
Previous
Notifications
CostLens
Next
Support & Troubleshooting