CaseFlow Docs

Appearance

Two-factor authentication

Two-factor authentication (2FA) adds a second step to login. After entering your password, you also enter a 6-digit code from an authenticator app on your phone. This means even if someone gets your password, they still cannot access your account.

Setting up 2FA

  1. Log in to CaseFlow and go to your profile (click your name in the top left, then Edit Profile)
  2. Scroll to the Two-Factor Authentication section
  3. Click Enable 2FA
  4. CaseFlow shows a QR code
  5. Open your authenticator app (Google Authenticator, Authy, 1Password, etc.) and scan the QR code
  6. The app starts generating 6-digit codes that change every 30 seconds
  7. Enter the current code in CaseFlow to verify it works
  8. Click Save

img.png

2FA is now active on your account.

Logging in with 2FA

  1. Enter your email and password as normal
  2. CaseFlow shows a second screen asking for your 6-digit code
  3. Open your authenticator app, find the CaseFlow entry, and enter the current code
  4. Click Verify

If the code is correct, you are logged in. If not, try the next code (they rotate every 30 seconds).

Before enabling 2FA

CaseFlow does not generate one-time backup codes. Before you turn 2FA on, make sure you have your authenticator app set up on a device you will not lose, preferably with the authenticator account backed up through the app's own sync (Authy cloud backup, Google account sync, 1Password vault, etc.).

If your phone is lost or reset, recovering access depends on that backup; there is no emergency code you can keep in a drawer.

Disabling 2FA

Go to your profile, scroll to Two-Factor Authentication, and click Disable 2FA. You will need to enter a current 6-digit code to confirm. After disabling, login requires only your password.

Who controls 2FA

Each staff member manages their own 2FA. The firm administrator cannot force 2FA on staff, and cannot see whether a specific staff member has it enabled. It is opt-in per person.

If security is a concern, tell your team to enable 2FA and follow up verbally. There is no technical enforcement mechanism.

Locked out

If you lose your phone and your authenticator app is not backed up anywhere, contact CaseFlow support. The support team can verify your identity and disable 2FA on your account so you can log in and set it up again.

Firm administrators cannot reset another staff member's 2FA from within CaseFlow; this is handled at the platform level by support to prevent an attacker from bypassing 2FA simply by getting access to an admin account.

Authenticator apps

Any TOTP-compatible authenticator app works:

  • Google Authenticator (iOS, Android)
  • Authy (iOS, Android, Desktop)
  • 1Password (built-in authenticator)
  • Microsoft Authenticator
  • Bitwarden (built-in authenticator)

Do not use SMS-based 2FA; CaseFlow uses app-based TOTP codes only.