Skip to content

Manage 2FA and passkeys

Open Settings, then Security. The security workspace contains Overview, Methods, Recovery, and Policy tabs plus passkey and session controls.

Typical time
10–20 minutes
You need
Current password and a trusted device
Outcome
Verified sign-in and recovery methods
  1. Review Protection, Policy, Preferred, and Recovery.
  2. Open Methods to inspect Email codes and Authenticator app.
  3. Open Recovery to confirm a recovery-code set exists.
  4. Open Policy to view organization requirements.
  5. Choose Open setup, Manage recovery, Manage methods, or Review policy only for the action you intend.

2FA 1 of 8 · Screenshot placeholder

Review account protection and policy

Show Security summary, Overview/Methods/Recovery/Policy tabs, Sign-in methods, Recovery readiness, and Organization policy.

Future capture briefUse synthetic status. Hide identity, masked email if identifying, verification timestamps, recovery codes, account IDs, and organization names.

The enabled methods, preferred method, recovery readiness, and policy are internally consistent before you change anything.

  1. Choose Open setup.
  2. In Configure sign-in method, choose Email codes.
  3. Enter Current password.
  4. Choose Send email code.
  5. Enter the six-digit Verification code.
  6. Choose Confirm.
  7. Save the newly displayed recovery codes privately if this is the first method.

2FA 2 of 8 · Screenshot placeholder

Enable email codes

Show Configure/Verify/Review/Complete progress, Email codes, Current password, Send email code, Verification code, and Confirm.

Future capture briefKeep password and code empty. Hide masked identity, setup IDs, inbox content, recovery codes, tokens, cookies, and organization data.
  1. Choose Authenticator app in Set up sign-in methods.
  2. Enter Current password.
  3. If another factor is already active, verify it with Send email code and Confirm, or use a saved Recovery code.
  4. Choose Prepare authenticator app.
  5. Scan the QR code or use Copy authenticator app manual key privately.
  6. Enter the current Authenticator code.
  7. Choose Confirm.

The QR code, manual key, and otpauth value are secrets. They must be fully redacted in screenshots.

2FA 3 of 8 · Screenshot placeholder

Enable an authenticator app

Show existing-factor verification, Prepare authenticator app, redacted QR/manual-key areas, Authenticator code, and Confirm.

Future capture briefRedact the entire QR, manual key, account label, otpauth value, password, email code, recovery code, authenticator code, setup IDs, and tokens.

Authenticator app shows Enabled and the account has recovery codes.

  1. Choose Manage methods.
  2. In Security verification, enter Current password.
  3. Select an offered verification path and complete its authenticator, recovery, or email proof.
  4. In Preferred method, choose the method.
  5. Choose Save.

The preferred method is tried first when available; it does not disable other enrolled methods.

  1. In Manage sign-in methods, complete Security verification.
  2. In Recovery codes, choose Regenerate.
  3. Save every value shown under New recovery codes immediately.
  4. Replace the old stored set; previous codes are no longer reliable.
  5. Leave the page only after the new set is safely stored.

Recovery codes are shown once. Store them in an approved private password manager or offline recovery process, never in ScrinCloud notes or screenshots.

2FA 4 of 8 · Screenshot placeholder

Regenerate and store recovery codes

Show Security verification, Recovery codes, Regenerate, and a fully redacted New recovery codes panel.

Future capture briefReplace every recovery code with a solid redaction. Hide password, factor values, setup IDs, identity, tokens, cookies, and clipboard content.
  1. Confirm another allowed active sign-in path will remain.
  2. Complete Security verification.
  3. In Disable a method, choose the method.
  4. Choose Disable and wait for Disabling….
  5. Recheck Methods, Preferred, Recovery, and organization policy.

The backend rejects unsafe disable requests, including policy conflicts or removing the last viable method. Do not attempt to bypass that guard.

  1. In Passkeys and security keys, choose Add passkey.
  2. Enter Passkey name and Current password.
  3. Provide an enrolled Authenticator code or Recovery code when required.
  4. Choose Add passkey.
  5. Complete the trusted browser or operating-system prompt.
  1. Choose Rename beside the credential.
  2. Enter New passkey name and the required proof.
  3. Choose Save name.
  1. Choose Revoke beside the exact credential.
  2. Enter required verification and choose Review revoke.
  3. Review Revoke passkey? and choose Revoke passkey.

Revocation is immediate for that credential and does not change other methods.

2FA 5 of 8 · Screenshot placeholder

Manage registered passkeys

Show Registered credentials with Add passkey, Rename, and Revoke, plus the synthetic credential count.

Future capture briefUse synthetic credential names. Hide credential references, browser payloads, device IDs, identity, timestamps if identifying, passwords, factor codes, and tokens.

2FA 6 of 8 · Screenshot placeholder

Verify a passkey lifecycle action

Show one Add/Rename/Revoke drawer with Confirm this security action and the final action button.

Future capture briefKeep password and factor fields empty. Do not capture browser prompts, credential IDs, passkey payloads, QR handoff, biometric data, tokens, or cookies.

The inventory shows the added or renamed credential, or no longer shows the revoked credential. Test sign-in only from a separate controlled browser; do not sign out your only recovery path prematurely.

Authorized organization policy managers can:

  1. Choose Optional or Enforced.
  2. Select allowed Email codes, Authenticator app, and Passkeys.
  3. Review impact.
  4. Complete Security verification.
  5. Choose Save policy.
  6. In Phishing-resistant assurance, choose protected roles and actions, verify again, and choose Save privileged policy.

When enforcement is on, keep at least one allowed method. Protected phishing-resistant actions reject email, authenticator, and recovery assurance when a recent passkey-authenticated session is required.

2FA 7 of 8 · Screenshot placeholder

Review organization sign-in policy impact

Show Optional/Enforced, allowed methods, Review impact, Security verification, Save policy, and Phishing-resistant assurance.

Future capture briefUse a synthetic organization and empty verification fields. Hide identities, policy IDs, credentials, codes, recovery values, tokens, cookies, and audit metadata.

2FA 8 of 8 · Screenshot placeholder

Confirm methods, recovery, and policy

Show the final Protection, Policy, Preferred, Recovery, enabled method cards, and passkey credential count.

Future capture briefUse synthetic values. Hide identity, masked email if identifying, recovery codes, verification timestamps, credential references, tokens, and organization details.

The settings page proves saved account and policy state after refresh. It does not prove every browser, device, or hardware key can authenticate; use a controlled sign-in test without exposing secrets.

Choose an allowed method or ask an authorized organization policy manager to review the requirement. Do not weaken policy solely to finish enrollment.

Use a currently active email, authenticator, recovery, or passkey path as offered. If none is available, use verified identity recovery.

Return to Add passkey and start a fresh browser prompt. Do not reuse a captured credential challenge.

While still authenticated, verify identity and choose Regenerate. The new set replaces the previous set.

Enable and verify another allowed method first. The fail-closed rejection is expected.