Product Docs
NocoDocs
Workflows
Scripts
Self Hosting
Changelog

Two-Factor Authentication ☁

Learn how to enable and manage two-factor authentication (2FA) for your NocoDB account.

Two-factor authentication (2FA) adds a second layer of security to your NocoDB account. After entering your password, you'll also need to provide a time-based one-time code from an authenticator app on your phone.

Two-factor authentication is available on all plans in Cloud and on the Enterprise tier for licensed Self-hosted.

Setting up 2FA

Prerequisites

  • You must have a password set on your account. If you signed up via Google, GitHub, or another SSO provider, set a password first via Account Settings > Profile.
  • Install an authenticator app that supports TOTP (e.g., Google Authenticator, Microsoft Authenticator, Authy, 1Password).

Steps

  1. Click your avatar in the bottom-left corner, then select Account Settings.

Account panel

  1. Navigate to the Security tab.

Security tab

  1. Click Enable 2FA.

Enable 2FA button

  1. Enter your current password and click Next.

Enter password

  1. Open your authenticator app and scan the QR code displayed on screen. If you cannot scan the QR code, click the copy button next to the manual entry key and add it to your authenticator app manually. Click Next.

Scan QR code

  1. Enter the 6-digit verification code from your authenticator app and click Verify.

Enter verification code

  1. You will be shown 10 one-time backup codes. Copy or write these down immediately and store them in a safe place — each code can only be used once. Click I've saved these codes to complete setup.

Backup codes

2FA is now active on your account.

2FA enabled

Signing in with 2FA

Once 2FA is enabled, every sign-in requires a second verification step after your password.

  1. Enter your email and password as usual.
  2. On the Two-Factor Authentication screen, open your authenticator app and enter the current 6-digit code, then click Verify.

Sign in with TOTP

  1. If you don't have access to your authenticator app, click Use a backup code instead. Enter one of your saved backup codes (in xxxx-xxxx format) and click Verify. You can switch back to the authenticator code view at any time by clicking Use authenticator code instead.

Sign in with backup code

  1. Click Cancel to abort the sign-in and return to the login screen.
The verification step must be completed within 5 minutes of entering your password. If it expires, sign in again.
Each backup code can only be used once. After signing in with a backup code, it is consumed and cannot be reused.

Backup codes

Backup codes are emergency access codes for when you lose access to your authenticator app (e.g., lost phone, app uninstalled).

  • You receive 10 backup codes when you enable 2FA.
  • Each code can only be used once — it is consumed after a successful sign-in.
  • Codes are in xxxx-xxxx format. Dashes, spaces, and letter casing are ignored when entering them.

Regenerating backup codes

If you've used most of your backup codes, or if you think they may have been compromised:

  1. Go to Account Settings > Security.
  2. Click Regenerate Backup Codes.
  3. Enter a current 6-digit code from your authenticator app to verify your identity.

Regenerate backup codes

  1. Your old backup codes are immediately invalidated. New codes are displayed.
  2. Copy and save the new codes, then click I've saved these codes.

Disabling 2FA

  1. Go to Account Settings > Security.
  2. Click Disable 2FA.
  3. Read the warning and click Disable 2FA to confirm.

Disable 2FA

Your TOTP secret and all backup codes are permanently deleted. If you re-enable 2FA later, you will go through the full setup process again with a new secret and new backup codes.

Troubleshooting

"Invalid verification code"

  • Make sure your device's clock is accurate. TOTP codes are time-sensitive — even a 30-second drift can cause codes to fail. Enable automatic time sync on your device.
  • Ensure you're entering the code for the correct account (check the label in your authenticator app says "NocoDB").
  • Codes refresh every 30 seconds. If a code is about to expire, wait for the next one.

Lost access to authenticator app and no backup codes

Contact your NocoDB workspace administrator or system admin. An admin can disable 2FA on your account from the backend. There is no self-service recovery if both the authenticator app and all backup codes are unavailable.

"Too many failed attempts"

After 5 consecutive failed verification attempts, your account is temporarily locked out for 15 minutes. Wait for the lockout period to pass, then try again. Double-check that your device's clock is synced correctly before retrying.

Migrating to a new phone

Before switching devices:

  1. If your authenticator app supports cloud backup or multi-device sync (e.g., Authy, Microsoft Authenticator, 1Password), your codes will transfer automatically.
  2. If not, disable 2FA on NocoDB, switch devices, then re-enable 2FA and scan the new QR code on your new phone.
  3. Alternatively, keep your backup codes handy — you can sign in with a backup code, then disable and re-enable 2FA to set up the new device.
Tags:Account SettingsSecurityTwo-Factor AuthenticationAuthentication

Google OAuth

Learn about different methods available for authentication with NocoDB.

SCIM

Learn how to configure SCIM v2.0 for automatic user and group provisioning in NocoDB.