> ## Documentation Index > Fetch the complete documentation index at: https://microstrate-1133-notifications-prefs.mintlify.site/llms.txt > Use this file to discover all available pages before exploring further. # Authentication > Secure your account with multi-factor authentication and passkeys # Authentication & MFA Protect your QuivaWorks account with multi-factor authentication (MFA) and modern passkey technology. ## Why Enable MFA? Adds an additional layer of protection beyond passwords Meet security requirements for regulated industries Receive recovery codes for emergency access Sleep better knowing your account is secure You'll be prompted to set up MFA every time you log in until it's enabled. We strongly recommend enabling MFA immediately after account creation. ## Setting Up Multi-Factor Authentication Passkeys provide passwordless authentication using biometrics or device PINs. Click your profile icon → "Settings" → "Password and Authentication" Click "Add Passkey" Follow your device's prompts: * Touch/Face ID on mobile * Windows Hello on PC * Touch ID on Mac * Security key (YubiKey, etc.) Store your recovery codes securely Passkeys are: * More secure than passwords * Resistant to phishing * Faster to use * Backed by FIDO2 standard Use time-based one-time passwords (TOTP) with apps like Google Authenticator, Authy, or Microsoft Authenticator. Click your profile icon → "Settings" → "Password and Authentication" Click "Add Authenticator App" Open your authenticator app and scan the QR code displayed Enter the 6-digit code from your app to confirm setup Download and securely store your recovery codes **Compatible Apps:** * Google Authenticator * Authy * Microsoft Authenticator * 1Password * LastPass Authenticator ## Recovery Codes Recovery codes provide emergency access if you lose your MFA device. **Critical:** Store recovery codes in a secure location: * Password manager * Physical safe * Encrypted storage * Never in email or cloud notes ### Characteristics of Recovery Codes * Each code can only be used **once** * You receive **10 codes** when enabling MFA * Generate new codes if you run out * Old codes become invalid when new ones are issued ### Viewing Your Recovery Codes 1. Click your profile icon → "Settings" 2. Navigate to "Password and Authentication" 3. Scroll to recovery codes section 4. Click "View" ### Using a Recovery Code 1. On the MFA challenge screen, click "Use recovery code instead" 2. Enter one of your recovery codes 3. Click "Verify" 4. **Important:** Generate new recovery codes immediately after using one If you've used all recovery codes, contact an Admin to issue new ones. ## Password Management ### Password Requirements Your password must contain: * Minimum **8 characters** * At least one **uppercase** letter * At least one **lowercase** letter * At least one **number** * At least one **special character** (!@#\$%^&\*) Use a password manager to generate and store complex, unique passwords. ### Changing Your Password 1. Click your profile icon → "Settings" 2. Navigate to "Credentials" 3. Enter your current password 4. Enter your new password 5. Confirm your new password 6. Click "Update Password" All active sessions will be terminated except your current one. You'll receive an email notification confirming the password change. ### Forgot Your Password? 1. Visit [https://app.quiva.ai/en/login](https://app.quiva.ai/en/login) 2. Click "Forgot password?" 3. Enter your account name and email 4. Click "Send Recovery Email" Look for "Reset Your QuivaWorks Password" email with: * Password reset link (recommended), or * Temporary recovery code 1. Click the reset link or enter the code 2. Create a new password meeting requirements 3. Confirm your new password 4. Click "Reset Password" You'll be logged in automatically. All other sessions are terminated. Password reset links expire after **15 minutes**. Request a new link if yours expires. ## Security Notifications You'll receive email notifications for these authentication events: When your password is updated When someone requests an email change When a new passkey is registered When recovery codes are accessed If you receive a notification for an action you didn't perform, immediately change your password and review your [active sessions](/essentials/security/sessions). ## Best Practices Never reuse passwords across different services. Use a password manager to track unique passwords for each account. Set up MFA as soon as you create your account. Don't wait until a security incident occurs. Keep recovery codes in a password manager or physical safe. Never store them in email or unencrypted notes. Passkeys are more secure and convenient than authenticator apps. Use them when available. Check your active sessions monthly and terminate any you don't recognize. Change your password every 60-90 days, especially for privileged accounts. ## Troubleshooting 1. Use a recovery code to log in 2. Immediately set up a new MFA method 3. Generate new recovery codes 4. If you've lost recovery codes too, contact an Admin * Check your device's time is synced correctly * Ensure you're using the latest code (refreshes every 30 seconds) * Try removing and re-adding the account in your app * Use a recovery code if the issue persists * Ensure your device/browser supports passkeys * Try registering a backup passkey on another device * Clear browser cache if using a browser-based passkey * Use authenticator app or recovery code as fallback * Check spam/junk folder * Verify you entered the correct account name and email * Wait 5 minutes (email delivery can be delayed) * Try requesting another reset email ## Next Steps Secure programmatic access Manage active sessions Comprehensive security guide What to do if compromised