What is Two-Step Authentication
Two-Step Authentication provides an additional authentication layer to ensure only you can access your OneSignal account.
In addition to your email address and password or OAuth, Two-Step Authentication requires you to install an authenticator app such as Authy on your personal mobile device. When you log in to OneSignal, you will be prompted for a verification code generated by the authenticator app to access your OneSignal account.
How to set up Two-Step Authentication on OneSignal
Step 1 - Login
New Registrations
- Sign up with your email address and password or with your OAuth provider.
- Access the “Two-Step Authentication” section from the OneSignal Account Management page.




- Click “Enable”
- Follow Step 2
Existing users
- Access the “Two-Step Authentication” section from the OneSignal Account Management page.
- Click “Enable”
- Follow Step 2
Step 2 - Setup Authenticator App
- Download an authenticator app on your personal mobile device
- From the authenticator app, Scan the QR code or enter the Secret Key displayed on OneSignal set up screen
- Enter the six-digit verification code from the authenticator app on OneSignal setup screen


Step 3 - Recovery Codes
Upon successful set up of an authenticator app, OneSignal will generate a set of 10 recovery codes. These codes can be used to login to your account if you don't have access to the authenticator app.
Note: For security purposes, OneSignal will display the recovery code only once. Please download or copy these in a safe place. In case you lose the recovery codes, you can generate a new set, invalidating the old recovery codes, from the Account Management page.


New Login Flow after Two-Step Authentication is Enabled
- Enter email address and password or OAuth AND
- Enter the authentication code from the app OR Enter one of the recovery codes OR
- Contact Support for help
Enforce Two-Step Authentication for your Organization
Navigate to Organizations > Your Organization > Roles




From the Organization Roles tab, Org-level admins can:
- View login method and two-step authentication status for all users
- Change the organization-wide Two-Step Authentication policy to
Default: Allow users to select their own, individual login method, with or without the two-step authentication
Recommended: Require Two-Step Authentication for all users. Mandatory Two-Step Authentication at an org-level will force all users to enable two-step authentication before they can log in to OneSignal the next time.
Note: Org-wide policy enforcement with a single-click is only available to paid accounts.
What do different icons under login method column mean?


FAQ
What if I am locked out of my account?
-
I don’t remember my login password.
The process to reset your forgotten password is still the same. -
I don’t have access to the authenticator app.
Use one of the recovery codes generated on successful Two-Step Authentication setup -
I don’t remember recovery codes.
Please contact OneSignal Support to unlock your account with a one-time code. Please generate a new set of recovery codes on successful login and keep them safe.
How do I disable Two-Step Authentication?
Access Two-Step Authentication settings on the OneSignal Account Management page. Click on “Disable”.
Note: Users will not be able to disable Two-Step Authentication if any of the organizations they are part of enforces it.
How do I generate new recovery codes?
Access Two-Step Authentication settings on the OneSignal Account Management page.
Click on “Generate New Recovery Codes”.
OAuth Login
Customers using third-party OAuth login methods (Facebook, Google, Github, etc) can enable Two-Step Authentication on Onesignal following the same process.
Supported Authenticator Apps
We recommend using Authy, but any authenticator app that supports a Time-based One-time Password (TOTP) mechanism, including Google authenticator, Microsoft authenticator, etc. can be used to set up Two-Step Authentication on OneSignal.
Updated 6 months ago