This page answers common questions about setting up and using two-factor authentication (2FA) in Rocket.Chat. For step-by-step setup instructions, see the Two-Factor Authentication User Guide.
Setup & access
Why don't I see "Two Factor Authentication" under Security?
Your workspace administrator hasn't enabled the feature yet. See Two-Factor Authentication Configuration for the steps an administrator needs to take.
Can I use both TOTP and email 2FA at the same time?
Yes, if your workspace allows both methods. You can enable each independently from your Security settings.
When both are active, you can choose which code to use at login.
Do I have to enter a 2FA code every time I log in?
Not necessarily. After a successful 2FA verification, you won't be asked for a code again for a period set by your workspace administrator (30 minutes by default). This is controlled by the Remember Two Factor for (seconds) workspace setting.
I'm getting 2FA emails but I don't remember enabling it. Why?
By default, email-based 2FA is enabled for any user who signs up with an email address. To disable it from your account settings see Disable 2FA via email in the user guide.
TOTP
Why isn't a QR code showing after I toggled on TOTP?
The QR code, manual setup code, and verification field are generated only after the toggle is switched on. If the screen stays blank, refresh the page and toggle the option on again.
What if I can't scan the QR code?
Use the alphanumeric code shown above the QR. Most authenticator apps include an "Enter a setup key" or "Enter manually" option, paste the code there. The result is identical to scanning.
Why is my 6-digit code being rejected?
TOTP codes refresh every 30 seconds, so make sure you're entering the current one. If it keeps failing, your phone's clock may be out of sync, check that your phone is set to automatic date and time. If the problem continues, ask your administrator about the Maximum Delta setting, which controls how long each token remains valid (tokens are valid for 30 × Maximum Delta seconds, which helps when client clocks aren't perfectly in sync with the server).
Which authenticator app should I use?
Any TOTP-compatible app will work. Common choices are Google Authenticator, Authy, and Duo. Some apps offer cloud sync across devices, which can simplify recovery if you change phones, check your app's settings if that matters to you.
How do I move my Rocket.Chat 2FA to a new phone?
While you still have access to your old phone, sign in to Rocket.Chat, disable TOTP, then re-enable it on your new phone (this generates a new QR code to scan with the new device). If you no longer have the old phone, sign in using a backup code, then disable and re-enable TOTP from your new device.
Why isn't my emailed code arriving?
Check your spam or junk folder first. If it isn't there, your workspace's email service may not be configured correctly, contact your administrator.
Is email 2FA as secure as TOTP?
TOTP is generally considered stronger because the code is generated locally on your device and doesn't travel over the network. Email 2FA depends on the security of your email account, if that account is compromised, an attacker could intercept your codes. Where possible, use TOTP.
How long is an emailed 2FA code valid?
By default, an emailed code is valid for 1 hour (3600 seconds). Your administrator can adjust this in workspace settings.
Recovery and lost access
What if I lose my phone or authenticator app?
Sign in using one of your backup codes, then disable TOTP and re-enable it on your new device.
What if I've used all my backup codes?
Contact your workspace administrator to reset your TOTP. You can then set 2FA up again from scratch and receive a new set of backup codes.
What if I no longer have access to my registered email?
Contact your workspace administrator for help regaining access to your account.