Skip to content

Security & two-factor

The Security tab is where you decide how strictly people sign in to your restaurant’s dashboard. You can require two-factor authentication for members with particular roles, so a stolen or guessed password on its own is not enough to get in. Each member also controls their own two-factor setup from their profile. This page explains what two-factor authentication is, how to require it, what your team will experience, and how to help someone who gets locked out.

A password is one factor: something you know. Two-factor authentication (often shortened to 2FA) adds a second factor: something you have. After you type your password, you also enter a short code that changes every 30 seconds, generated by an authenticator app on your phone.

You get this code from any standard authenticator app — for example Google Authenticator, Microsoft Authenticator, 1Password or Authy. You scan a QR code once to link your account to the app, and from then on the app shows a fresh six-digit code whenever you sign in.

When you enrol, Eighty-Six also gives you a set of ten single-use backup codes. These are your safety net: if you lose your phone or cannot open your authenticator app, you can sign in with one of these codes instead. Each backup code works only once.

Instead of asking people one by one, you set a policy for whole roles. When a role is marked as required, every member who holds that role must set up two-factor authentication before they can use the dashboard.

  1. Go to Settings and open the Security tab.
  2. You will see the Require 2FA by role panel, listing each role in your organization.
  3. Turn on the switch next to any role you want to protect.
  4. A short confirmation appears at the corner of the screen — the change takes effect straight away.
The Security tab showing the Require 2FA by role panel with a switch beside each role
The Security tab. Flip a role's switch on to require two-factor authentication for everyone who holds it.

Turning a switch off removes the requirement for that role. Members who already enrolled keep their two-factor authentication — turning the policy off simply means it is no longer forced, and they may disable it themselves if they wish.

Once a role is required, anyone holding it who has not yet enrolled is met with a Two-factor authentication required screen the next time they open the dashboard. It explains that the organization requires two-factor authentication for their role and offers two buttons: Set up two-factor authentication and Sign out. There is no way past this screen except to enrol — the rest of the dashboard stays locked until they do.

From then on, signing in has one extra step. After entering their email and password, the member is asked for the six-digit code from their authenticator app, then selects Verify. If they cannot reach their app, a Use a backup code link lets them enter one of their backup codes instead.

Whether the policy forces you or you simply choose to, the setup is the same. You manage your own two-factor authentication from your Profile.

  1. Open the account menu at the top right and choose Profile.
  2. Find the Two-factor authentication card and select Enable two-factor authentication.
  3. Scan the QR code with your authenticator app. If you cannot scan it, use Can’t scan? Enter this key to type the key in by hand.
  4. Enter the six-digit code your app shows, then select Verify & enable.
The two-factor setup dialog showing a QR code, a setup key and a field for the six-digit code
Scan the QR code with an authenticator app, then enter the six-digit code to switch two-factor authentication on.

After you verify, Eighty-Six shows your ten backup codes once. Use Copy or Download to store them somewhere safe — a password manager is ideal. You must tick I have saved these backup codes somewhere safe before the Done button becomes available, because you will not be shown these codes again.

The backup codes screen with a grid of codes, Copy and Download buttons, and a confirmation checkbox
Your backup codes are shown only once. Copy or download them and store them safely before selecting Done.

Back on the Two-factor authentication card in your profile, a badge shows whether it is Enabled or Disabled, whether it is Required by your organization, and how many backup codes you have left. Two actions are available while it is on:

Regenerate backup codes

Running low, or think your codes may have been seen? Select Regenerate backup codes, enter a current six-digit code, and Eighty-Six issues a fresh set of ten. Your previous codes stop working immediately.

Disable

Select Disable and enter a current code (or a backup code) to turn two-factor authentication off. If your role is one the organization requires, this button is greyed out — you cannot switch off two-factor while the policy demands it.

If a member loses their phone and their backup codes, they can be locked out. An admin can clear their two-factor setup so they can sign in with just their password and enrol again fresh.

  1. Go to Team and open the members list.
  2. Open the three-dots menu on that member’s card and choose Reset 2FA.
  3. Confirm in the dialog. Two-factor authentication is switched off for that member.
A team member card with its menu open, showing the Reset 2FA option
From the Team members list, use a member's menu to reset their two-factor authentication if they are locked out.

After a reset, the member can sign in with only their password. If their role still requires two-factor authentication, they will be asked to set it up again on their next visit. You cannot reset your own two-factor this way — use the Disable and Enable buttons on your own profile instead.