Multi-factor authentication

Multi-factor authentication (MFA) adds a second verification step on top of your existing login method. After you sign in with email or Google, Knock prompts you for a one-time code from your authenticator app before granting access to the dashboard.

MFA applies to email (passwordless) and Google logins. If your account uses SAML SSO, your identity provider handles MFA for those users and Knock does not prompt for an additional factor.

Any member can enroll in MFA from their profile settings in the Knock dashboard. Account owners and admins who want to require MFA for all members use a separate account-level setting (see Enforce MFA for your account below).

1. Click Overview in the sidebar, then open your profile settings and navigate to the Security section.
2. Under Two-factor authentication, click Set up.
3. Scan the QR code with an authenticator app (such as 1Password, Authy, or Google Authenticator).
4. Enter the 6-digit code from your authenticator app to confirm enrollment.
5. Save your backup codes in a secure location. Knock shows these codes once during enrollment.

If your account owner or admin has enabled account-wide MFA enforcement, you are prompted to complete this enrollment flow the next time you log in before you can access the dashboard.

When you enroll in MFA, Knock generates a set of backup codes you can use to sign in if you lose access to your authenticator app. Each backup code is single-use.

You can regenerate backup codes from your profile Security settings at any time. Regenerating codes invalidates any previously issued backup codes.

When MFA is enabled on your account, Knock prompts you for a verification code after you complete the initial sign-in step (email magic link or Google SSO).

1. Open your authenticator app and enter the current 6-digit code on the MFA challenge screen.
2. If you cannot access your authenticator app, click Use a backup code and enter one of your saved backup codes instead.

After you verify your code, Knock authenticates your session and redirects you to the dashboard.

Account owners and admins can require all members to enroll in MFA before they can access the dashboard. This is separate from enrolling MFA for your own login on the Profile page.

1. Log in to your Knock dashboard.
2. Navigate to the Security page under Admin in your account settings (dashboard.knock.app/<slug>/settings/security, where <slug> is your account identifier).
3. Toggle Require multi-factor authentication to enable enforcement for all members.

When enforcement is enabled, members who have not yet enrolled in MFA are prompted to set up an authenticator app at their next login or token refresh. They cannot access the dashboard until enrollment is complete.

If a member loses access to their authenticator app and backup codes, an account owner or admin can reset their MFA from the account Security settings. Resetting a member's MFA removes their enrolled factor and backup codes. The member must enroll again at their next login.