Multi-factor authentication

What this means

Multi-factor authentication (MFA) adds a second step to sign-in: after your password, you also enter a 6-digit code from an authenticator app on your phone. The app generates a fresh code every 30 seconds.

Even if someone learns your password, they can't sign in without the phone - that's the point.

Bilbis uses TOTP (Time-based One-Time Password), the standard supported by Google Authenticator, 1Password, Authy, Microsoft Authenticator, and most other authenticator apps.

When MFA applies

Role	MFA
Owner	Required. You can't sign in without enrolling.
Admin	Required. Same as owner.
Platform admin	Required. Same.
Developer	Optional. Enroll voluntarily from Settings → Security.
Viewer	Optional. Same.

If your role becomes one of the required roles after you've registered, the next sign-in routes you to enrollment instead of the dashboard.

Enrollment

The enrollment page walks through three steps.

Step 1 - Add Bilbis to your authenticator

The page shows a QR code and a long secret string. Open your authenticator app and either:

Scan the QR code with your phone's camera in the app, or
Tap "Enter manually" in the app and paste the secret.

Either way, your authenticator now knows about Bilbis and starts generating 6-digit codes that change every 30 seconds.

Step 2 - Save your recovery codes

Bilbis shows you a list of recovery codes. Save these. You can:

Click Copy all to copy them to your clipboard.
Click Download to save them as bilbis-recovery-codes.txt.

Each code works once. They're your fallback when you can't reach your authenticator app - for example, if your phone is lost, broken, or wiped.

Bilbis only shows the codes once. Save them somewhere durable: a password manager, a printed sheet, a secure note. Don't keep them only on the same phone that runs the authenticator app.

Step 3 - Confirm with a 6-digit code

Type the current 6-digit code from your authenticator into the Code input. Click Confirm and enable.

The page shows "Two-factor enabled" and routes you on - to your dashboard if you have one, or to the Workspace picker.

Voluntary enrollment

If your role doesn't require MFA but you want to add it anyway:

Sign in normally.
Go to Settings → Security.
Click Enable two-factor.
Walk through the same three steps.

Voluntary enrollment shows the same form without the "Required for admins" notice at the top.

After enrollment, every sign-in goes through this:

Type your email and password as usual.
The challenge page asks for the current 6-digit code.
Type it. Click Verify.

The challenge page also has a Use a recovery code link if you can't reach your authenticator. Recovery codes are formatted like ABCD-1234-EFGH-5678. Each one consumes itself after use.

If you've used a recovery code, generate fresh ones in Settings → Security when you next sign in. The reminder appears in a toast.

Errors at the challenge

Message	What it means
"Invalid code. Try again."	The code didn't match. Wait for the next one in your authenticator (codes change every 30 seconds) and re-type.
"This challenge expired. Sign in again."	Too much time passed between password and code. Start sign-in over.
"Too many attempts. Try again later."	Rate limit. Wait.

Disabling MFA

For voluntary users only - required-MFA roles can't disable.

Go to Settings → Security.
Click Disable two-factor.
The dialog asks for either a current 6-digit code or a recovery code.
Confirm.

After disabling, sign-in goes back to email + password only.

Switching authenticator apps

Bilbis doesn't have a "transfer" button. To switch:

Disable MFA in Settings → Security (voluntary users only).
Re-enroll. The QR code goes into the new authenticator.
Save fresh recovery codes.

For required-MFA roles, this isn't allowed - your operator has to reset MFA on your account first.

Lost authenticator + lost recovery codes

Without your authenticator and without recovery codes, you're locked out. The Bilbis app cannot recover this - only your operator can. Contact your admin or the Bilbis operator to reset MFA on your account. After they reset it, you'll re-enroll on the next sign-in.

Where MFA shows up

Surface	What you see
Sign-in	Challenge page after correct password.
Voluntary enrollment	Settings → Security.
Required enrollment	Forced after sign-in if your role demands it and you haven't enrolled.
Recovery code prompt	A link on the challenge page, and inside the disable dialog.

Permissions

Action	Who can do it
Enroll (forced)	Owner, admin, platform-admin - required at first sign-in.
Enroll (voluntary)	Anyone, from Settings → Security.
Disable	Voluntary users only. Required-MFA roles cannot disable.
Reset another user's MFA	Operator-side action. Not in the app.

Problems and fixes

Problem	What to check
The QR code won't scan.	Type the secret in manually. The same string is shown next to the QR.
The code is rejected even though I just generated it.	Codes change every 30 seconds. Wait for the next one and try again. Make sure your phone's clock is correct.
"Enrollment expired. Refresh and start over."	The page sat too long. Refresh and start again.
I lost my phone.	Use a recovery code on the sign-in challenge page. Click Use a recovery code.
I lost my phone and I never saved recovery codes.	Contact your operator to reset MFA. They'll let you re-enroll.
I want to disable MFA on a required role.	Not allowed by Bilbis. Required roles must keep MFA on.
I see the recovery codes screen briefly and then it's gone.	The codes show during enrollment only. If you didn't save them, disable and re-enroll (voluntary roles), or generate fresh codes from Settings → Security.

Sign in and register - the password step that comes before MFA.
Password reset - different flow; MFA still applies after a reset.
Invitations - MFA still applies after accepting an invite.

Multi-factor authentication

On this page