Skip to main content

Overview

Two-Factor Authentication (2FA) adds an additional security layer beyond username and password. Users must provide a second factor - typically a time-based one-time password (TOTP) from an authenticator app - to access Forest.
Recommended for All Users: 2FA significantly reduces the risk of unauthorized access, even if passwords are compromised.

Supported 2FA methods

Time-based One-Time Password (TOTP) apps generate 6-digit codes that change every 30 seconds:

Google Authenticator

Free app for iOS and Android

Microsoft Authenticator

Supports backup and cloud sync

Authy

Multi-device support with encrypted backups

1Password

Password manager with built-in TOTP

Bitwarden

Open-source with TOTP support

LastPass Authenticator

One-tap push notifications

Backup codes

Recovery codes to use if you lose access to your authenticator app:
  • Generated during 2FA setup
  • One-time use only
  • Store securely (password manager or printed copy)
  • Can regenerate if needed
Save Your Backup Codes: Without backup codes or access to your authenticator, you’ll be locked out if your device is lost.

Enabling 2FA (for users)

Setup process

1

Access Account Settings

Click your profile picture > Account Settings > Security
2

Enable Two-Factor Authentication

Click Enable 2FA button
3

Scan QR Code

  1. Open your authenticator app
  2. Tap “Add account” or ”+” button
  3. Scan the QR code displayed in Forest
Or enter the setup key manually if you can’t scan
4

Verify Setup

Enter the 6-digit code from your authenticator app to confirm it’s working correctly
5

Save Backup Codes

  1. Download or copy your backup codes
  2. Store them securely (password manager recommended)
  3. Check the box to confirm you’ve saved them
6

2FA Enabled

You’ll now be prompted for a code each time you log in

Manual setup key

If you can’t scan the QR code, use the manual setup key: 
Setup Key: JBSWY3DPEHPK3PXP
Account: your-email@example.com
Type: Time-based

Using 2FA to log in

Login flow

1

Enter Credentials

Enter your email and password as usual
2

Enter 2FA Code

Open your authenticator app and enter the current 6-digit code
3

Remember Device (Optional)

Check “Trust this device for 30 days” to skip 2FA on this device
4

Access Granted

You’re logged in to Forest

Using backup codes

If you don’t have access to your authenticator app:
1

Click 'Use Backup Code'

On the 2FA prompt, click the link to use a backup code
2

Enter Backup Code

Enter one of your saved backup codes (case-insensitive)
3

Code is Consumed

Each backup code can only be used once. Generate new ones if running low.

Trusted devices

Mark devices as trusted to skip 2FA for 30 days:
  • Use Case: Your primary work computer
  • Security: A secure cookie identifies the device
  • Removal: Go to Account Settings > Security > Trusted Devices to revoke
Public Computers: Never mark public or shared computers as trusted.

Enforcing 2FA (for admins)

Administrators can require 2FA for all users or specific roles.

Project-wide enforcement

Require 2FA for everyone:
1

Navigate to Security Settings

Go to Project Settings > Security > Authentication
2

Enable 2FA Requirement

Toggle Require Two-Factor Authentication to ON
3

Set Grace Period

Choose how long users have to enable 2FA:
  • 24 hours (urgent)
  • 7 days (recommended)
  • 30 days (gradual rollout)
4

Notify Users

Forest automatically emails users about the requirement
5

Monitor Compliance

Track which users have enabled 2FA in Project Settings > Teams > Users

Role-based enforcement

Require 2FA only for specific roles: 
// Example: Require 2FA for Admins and Editors
{
  "roles": {
    "admin": {
      "require2FA": true
    },
    "editor": {
      "require2FA": true
    },
    "viewer": {
      "require2FA": false  // Optional for viewers
    }
  }
}
Configuration:
  1. Go to Project Settings > Roles
  2. Edit each role
  3. Check Require 2FA for this role

Exceptions

Allow specific users to bypass 2FA requirement:
  • Use Case: Emergency access accounts, service accounts, external contractors
  • Configuration: Edit user profile > Security > Exempt from 2FA requirement
Best Practice: Minimize exceptions. If a user truly needs access, they should enable 2FA.

Managing 2FA

Regenerating backup codes

If you’ve used all your backup codes or lost them:
1

Access Security Settings

Go to Account Settings > Security
2

Regenerate Codes

Click Regenerate Backup Codes
3

Enter 2FA Code

Verify with current authenticator code
4

Save New Codes

Old codes are invalidated. Save the new ones securely.

Resetting your own 2FA

If you need to switch authenticator apps or devices:
1

Disable 2FA

Go to Account Settings > Security > Disable 2FA
2

Verify Identity

Enter your current 2FA code or a backup code
3

Re-enable 2FA

Follow the setup process again with your new device/app

Admin: resetting user’s 2FA

If a user loses access to their authenticator and backup codes:
Security Risk: Only reset 2FA after verifying the user’s identity through alternate means (video call, ID verification, etc.).
1

Verify User Identity

Confirm the user’s identity (don’t rely solely on email, which could be compromised)
2

Navigate to User Management

Go to Project Settings > Teams > Users
3

Find User

Search for the user who needs 2FA reset
4

Reset 2FA

Click user menu (…) > Reset Two-Factor Authentication
5

Confirm Action

Confirm the reset. User must set up 2FA again at next login (if required).
6

Log the Action

This action is automatically logged in audit logs for security tracking

2FA + SSO

How they work together

2FA and SSO can be used simultaneously for defense in depth:

For SSO Users

Enforce MFA at the IdP levelDisable Forest 2FA for SSO users to avoid double-prompting

For Password Users

Require Forest 2FAThese users don’t benefit from IdP security

Troubleshooting

Code not working

Problem: Authenticator app time is out of syncSymptoms: Code is always rejected, even when entered correctlySolution:
  1. Check your phone’s time settings
  2. Enable automatic time/date
  3. Try the next code (they change every 30 seconds)
For Google Authenticator:
  • Go to Settings > Time correction for codes > Sync now
Problem: Entering an old or incorrect codeSolution:
  • Wait for the code to refresh in your app
  • Ensure you’re using the correct account (if you have multiple)
  • Check for typos (0 vs O, 1 vs l)
Problem: Removed app or factory reset phone without backing upSolution:
  • Use a backup code if you have one
  • Contact your admin for 2FA reset
  • Admin must verify your identity before resetting

Can’t scan QR code

Solutions:
  1. Use Manual Entry: Copy the setup key and enter it manually in your authenticator app
  2. Try Different Device: Use a tablet or another phone to scan
  3. Check Camera Permissions: Ensure authenticator app has camera access
  4. Screenshot: Take a screenshot (secure it afterwards) and scan from photos

Lost backup codes

If you still have authenticator access:
  1. Log in with your authenticator code
  2. Regenerate new backup codes
  3. Save them securely
If you don’t have authenticator or backup codes:
  1. Contact your administrator
  2. Admin will verify your identity
  3. Admin can reset your 2FA
  4. Set up 2FA again immediately

Can’t log in after 2FA enforcement

Problem: 2FA was enforced but user hasn’t set it up Solution:
  1. Users receive grace period to enable 2FA
  2. During grace period, they’re prompted to set up 2FA
  3. After grace period, they must set up 2FA before accessing
Admin Override:
  • Admin can temporarily exempt user from 2FA requirement
  • User can then log in and set up 2FA properly