Multifactor authentication (MFA)
Key point: Multifactor authentication (MFA) adds an essential security layer to your PageSeeder account by requiring two verification methods when signing in, significantly reducing the risk of unauthorized access.

Multifactor Authentication (MFA) in PageSeeder

Starting with version 6.2, PageSeeder supports Multifactor Authentication (MFA) to protect your accounts. MFA works by asking for two different ways to verify your identity when you sign in – something you know (your password) and something you have (like your phone or a security key).

Adding MFA significantly improves your security. Even if someone discovers your password, they still can't access your account without the second verification method. Many MFA options also protect you from deceptive attempts to steal your information. As an added benefit, using MFA helps your organization satisfy the security requirements of many regulatory standards.

For users

Getting started with MFA

When MFA is enabled by your administrator, you'll need to set up at least one additional authentication method beyond your password. You can do this through your security settings and password page.

Once you have registered and verified authenticators, PageSeeder uses them as a second authentication mechanism when you sign in. If you set up multiple authentication mechanisms, you can swap between them during the sign-in process.

We strongly recommend setting up at least two different authentication methods. This ensures you can still access your account if you lose access to one method (such as losing your phone).

Managing your authentication methods

PageSeeder offers several ways to verify your identity using authenticators:

  • Email verification codes – Receive a one-time code by email.
  • Authenticator app – Use apps like Google Authenticator or Microsoft Authenticator.
  • Security keys or devices – Use hardware keys or your smartphone's built-in security.
  • Backup codes – Emergency access codes you store in a safe place.

After setting up your preferred methods, you'll use one of them each time you sign in. If you have multiple methods configured, you can choose which one to use during the sign-in process.

For administrators

Configuring MFA

As a PageSeeder administrator, you control which authentication methods are available to your users. While you can enable or disable methods, users need to set up their own authenticators (except for email verification, which you can configure on their behalf).

Configure available authentication methods using the mfaSupport global property with a comma-separated list:

mfaSupport=email-otp,totp,recovery,webauthn

The allowed values are:

sms-otp is not included by default, as it requires a separate subscription to an SMS service.

Troubleshooting and emergency access

PageSeeder supports a global property to disable MFA on sign-in as a break-glass option. This allows users to temporarily sign-in without a second authentication because the system is unable to verify authenticators or when many users are locked out of the system.

mfaDisable=true

Only use this setting temporarily in emergency situations, as it reduces account security. Remember to re-enable MFA once the issue is resolved.