What is Two-Step Authentication

Two-Step Authentication provides an additional authentication layer to ensure only you can access your OneSignal account.

In addition to your email address and password or OAuth, Two-Step Authentication requires you to install an authenticator app such as Authy on your personal mobile device. When you log in to OneSignal, you will be prompted for a verification code generated by the authenticator app to access your OneSignal account.

How to set up Two-Step Authentication on OneSignal

Step 1 - Login

New Registrations

• Sign up with your email address and password or with your OAuth provider.
• Access the “Two-Step Authentication” section from the OneSignal Account Management page.

• Click “Enable”
• Follow Step 2

Existing users

• Access the “Two-Step Authentication” section from the OneSignal Account Management page.
• Click “Enable”
• Follow Step 2

Step 2 - Setup Authenticator App

• Download an authenticator app on your personal mobile device
• From the authenticator app, Scan the QR code or enter the Secret Key displayed on OneSignal set up screen
• Enter the six-digit verification code from the authenticator app on OneSignal setup screen

Step 3 - Recovery Codes

Upon successful set up of an authenticator app, OneSignal will generate a set of 10 recovery codes. These codes can be used to login to your account if you don't have access to the authenticator app.

Note: For security purposes, OneSignal will display the recovery code only once. Please download or copy these in a safe place. In case you lose the recovery codes, you can generate a new set, invalidating the old recovery codes, from the Account Management page.

New Login Flow after Two-Step Authentication is Enabled

• Enter email address and password or OAuth AND
• Enter the authentication code from the app OR Enter one of the recovery codes OR
• Contact Support for help

Enforce Two-Step Authentication for your Organization

Navigate to Organizations > Your Organization > Roles

From the Organization Roles tab, Org-level admins can:

• View login method and two-step authentication status for all users
• Change the organization-wide Two-Step Authentication policy to
  Default: Allow users to select their own, individual login method, with or without the two-step authentication
  Recommended: Require Two-Step Authentication for all users. Mandatory Two-Step Authentication at an org-level will force all users to enable two-step authentication before they can log in to OneSignal the next time.

Note: Org-wide policy enforcement with a single-click is only available to paid accounts.

What do different icons under login method column mean?

FAQ

What if I am locked out of my account?

• I don’t remember my login password.
  The process to reset your forgotten password is still the same.

• I don’t have access to the authenticator app.
  Use one of the recovery codes generated on successful Two-Step Authentication setup

• I don’t remember recovery codes.
  Please contact OneSignal Support to unlock your account with a one-time code. Please generate a new set of recovery codes on successful login and keep them safe.

How do I disable Two-Step Authentication?

Access Two-Step Authentication settings on the OneSignal Account Management page. Click on “Disable”.
Note: Users will not be able to disable Two-Step Authentication if any of the organizations they are part of enforces it.

How do I generate new recovery codes?

Access Two-Step Authentication settings on the OneSignal Account Management page.
Click on “Generate New Recovery Codes”.

OAuth Login

Customers using third-party OAuth login methods (Facebook, Google, Github, etc) can enable Two-Step Authentication on Onesignal following the same process.

Supported Authenticator Apps

We recommend using Authy, but any authenticator app that supports a Time-based One-time Password (TOTP) mechanism, including Google authenticator, Microsoft authenticator, etc. can be used to set up Two-Step Authentication on OneSignal.