Multi-factor authentication (MFA)
Overview
Section titled “Overview”Multi-factor authentication (MFA) adds a second step to your DeepIntShield dashboard sign-in. After entering a correct email and password, you are asked for a one-time 6-digit code from an authenticator app on your phone. Even if a password is stolen or guessed, an attacker still cannot reach your account without that device.
DeepIntShield uses standard time-based one-time passwords (TOTP), so it works with any common authenticator app - Google Authenticator, Microsoft Authenticator, Authy, 1Password, and similar. Each user enables MFA on their own account from the account settings page; there is no external MFA vendor to sign up for and no data leaves your deployment.
When you turn MFA on, you also receive a set of single-use recovery codes you can use to sign in if you ever lose access to your authenticator app.
Key benefits
Section titled “Key benefits”- Phishing-resistant second factor for password-based dashboard accounts.
- Works with any standard authenticator app - no proprietary client required.
- Self-contained - codes are validated inside your own deployment; no third-party MFA service.
- Recovery codes so you are not locked out if you lose your phone.
- Per-user opt-in that each member controls from their own account settings.
When to use it
Section titled “When to use it”Enable MFA when you want stronger protection for the dashboard than a password alone, for example:
- Accounts that can manage virtual keys, budgets, providers, or guardrail policy.
- Administrators and operators with broad access across workspaces.
- Any environment subject to security or compliance requirements that mandate a second factor for console access.
How a member enables MFA
Section titled “How a member enables MFA”MFA is enrolled per user from Account settings (the operator profile page). Each member follows these steps for their own account.
-
Open your account settings and find the Two-factor authentication (MFA) row. Its badge shows Off when MFA is not yet enabled.
-
Select Enable MFA. A dialog opens showing a Secret key.
-
Add the account to your authenticator app. Either enter the displayed secret key manually, or use your app’s “scan / add account” option. Use the copy button next to the secret to paste it into apps that accept manual keys.
-
Your authenticator app now shows a rotating 6-digit code. Enter the current code in the Authentication code field and select Confirm & enable.
-
MFA is now on. The dialog immediately displays your recovery codes - store them somewhere safe (a password manager works well). Use Copy all to copy them, then select I’ve saved them.
After enabling, the Two-factor authentication (MFA) row shows an On badge, along with Recovery codes and Disable actions.
Signing in with MFA enabled
Section titled “Signing in with MFA enabled”Once MFA is enabled on an account, the password sign-in flow gains a second step:
-
Enter your email and password on the login screen and submit as usual.
-
When the credentials are valid, a 6-digit code field appears with the prompt to enter the code from your authenticator app.
-
Open your authenticator app, read the current 6-digit code for DeepIntShield, enter it, and submit. You are signed in.
If you do not have your authenticator app to hand, enter one of your recovery codes instead of the 6-digit code. Each recovery code works only once; after it is used it can no longer be used to sign in.
Managing recovery codes
Section titled “Managing recovery codes”From the Two-factor authentication (MFA) row (when MFA is On), select Recovery codes to issue a fresh set. You will be asked to enter a current authenticator code to authorize the change. A brand-new set of codes is generated and shown once.
Regenerate your recovery codes if you think the previous set may have been exposed, or after you have used several of them and want a full set again.
Disabling MFA
Section titled “Disabling MFA”To turn MFA off, select Disable in the Two-factor authentication (MFA) row. You must confirm by entering a current authenticator code (a recovery code is also accepted, in case you have lost your authenticator). Once disabled, sign-in returns to password-only, and the stored authenticator secret is removed. You can re-enable MFA at any time, which generates a new secret and a new set of recovery codes.
Option reference
Section titled “Option reference”| Action | Where | What you provide | Result |
|---|---|---|---|
| Enable MFA | Account settings → Two-factor authentication row | A 6-digit code from your authenticator app | MFA turned on; recovery codes shown once |
| Sign in | Login screen | Email, password, then a 6-digit code (or a recovery code) | Authenticated session |
| Recovery codes | Two-factor authentication row (when On) | A current 6-digit code | A fresh single-use code set; previous set invalidated |
| Disable | Two-factor authentication row (when On) | A current 6-digit code or a recovery code | MFA turned off; authenticator secret cleared |
- Enroll on a device you carry day to day, and save your recovery codes in your password manager so you always have a backup factor.
- If you replace your phone, set up the authenticator on the new device first, or use a recovery code to sign in, then disable and re-enable MFA to bind a fresh secret to the new device.
- Encourage every member with elevated access to enable MFA; it is configured per user, so coverage depends on each person turning it on.
Next steps
Section titled “Next steps”- SSO with Google and other OIDC providers - for teams that sign in through an identity provider, where MFA is enforced by the IdP.
- Virtual keys - secure the API credentials your applications use to call the gateway.
- Budgets and limits - apply spend and rate controls on top of access control.