Back to Blog
Product UpdateFeb 20, 2026

Introducing Multi-Factor Authentication

We just rolled out mandatory MFA support for all enterprise organizations. Here is how it works.

Login Attempt
MFA Policy
Authenticator App

Today, we are thrilled to announce that Multi-Factor Authentication (MFA) is generally available across all API Health Control Panel accounts. For our Enterprise clients, organizations can now strictly enforce MFA globally across all team members.

Mobile Key Security

Why is MFA Mandatory for Orgs?

Stolen passwords account for over 80% of corporate data breaches. For an application like ours—which stores raw provider keys that govern your entire billing quota across platforms like OpenAI and Stripe—a singular leaked developer password could be catastrophic.

By implementing Time-based One-Time Passwords (TOTP), we guarantee that any login attempt must be verified by a physical device belonging to the user.

Supported Authenticators

Our implementation strictly relies on standard TOTP protocols. This allows our users maximal flexibility to use their preferred secure enclave solutions.

  • Google Authenticator - Recommended for quick mobile setups.
  • Authy - Great for multi-device sync (with caution).
  • 1Password / Bitwarden - Recommended for enterprise teams looking to centralize their 2FA codes alongside highly complex generated passwords.

How to Setup MFA

Navigate to your Settings panel inside the Control Panel dashboard. Under the "Security" tab, click Enable 2FA.

  1. A secure QR code will be generated on your screen.
  2. Scan the QR code with your chosen authenticator app.
  3. Enter the 6-digit code displayed on your device back into the Control Panel prompt.
  4. Crucial: Save the displayed recovery codes in a secure, offline location. These are the *only* way to bypass MFA if you lose your phone.

WebAuthn / Passkeys (Coming Soon)

In Q3 2026, we will be expanding our MFA options to support FIDO2 security keys (YubiKey) and biometric Passkeys (FaceID / TouchID) for true passwordless, phishing-resistant workflows.

Rolling it out

If you are an Enterprise Admin, you can navigate to the Organization settings page and toggle "Enforce MFA for all members." Once enabled, any team member without MFA configured will be immediately logged out and forced through the setup flow upon their next login attempt.