Account Security & MFA
Protect your admin account with two-factor authentication, strong passwords, and backup recovery codes. Keep your organization's elections secure.
Why Account Security Matters
As a voting platform, VoteAlly handles election configuration, voter rosters, and ballot results. A compromised admin account could allow an attacker to alter questions, view private results, or manipulate voter access. Two-factor authentication (2FA) adds a second verification step to your login, so that a stolen password alone is not enough to access your account.
VoteAlly supports two MFA methods: authenticator app for the strongest protection, and email verification as a more convenient alternative. Both methods generate backup codes for account recovery.
Tip: We strongly recommend enabling MFA for all admin accounts, especially Organization Owners and anyone with access to election results or voter data.
Setting Up an Authenticator App
An authenticator app on your phone generates a new 6-digit code every 30 seconds. This is the most secure MFA option because the codes are created on your device and never sent over email.
Compatible apps include Google Authenticator, Authy, 1Password, and Microsoft Authenticator.
Open Security Settings
From your admin dashboard, click Settings in the sidebar, then select the Security tab. You will see the Multi-Factor Authentication section with two options: Authenticator App and Email Verification.
Click "Use Authenticator App"
VoteAlly generates a unique secret tied to your account and displays it as a QR code. The entry will appear in your authenticator app labeled with "VoteAlly" and your email address, so it is easy to find later.
Scan the QR code with your app
Open your authenticator app and use its camera or scan function to read the QR code. If you cannot scan it (for example, if you are setting up on the same device), click the manual entry option and type in the secret key shown below the QR code.
Enter the 6-digit verification code
Your authenticator app will immediately start generating codes. Enter the current 6-digit code into the verification field in VoteAlly and click "Verify & Enable." This confirms the secret was transferred correctly.
Save your backup codes
After successful verification, VoteAlly displays a set of one-time backup codes. Download the file or copy the codes and store them somewhere safe, such as a password manager or a printed sheet in a locked drawer. You will need these if you ever lose access to your authenticator app.
Done! From now on, every time you log in you will be prompted to enter a 6-digit code from your authenticator app after entering your password. Your account is protected even if your password is compromised.
Email-Based MFA
Email MFA sends a 6-digit verification code to your registered email address each time you log in. It is a convenient option if you do not want to install an authenticator app, though it is slightly less secure because it depends on the security of your email account.
How to enable email MFA:
- Go to Settings > Security in your admin dashboard.
- Click "Use Email for 2FA" under the Multi-Factor Authentication section.
- Check your inbox for a verification code. The code expires after 5 minutes.
- Enter the 6-digit code and click "Verify & Enable."
- Save the backup codes that are displayed. These work the same way as with authenticator app setup.
Tip: Each login will send a fresh code to your email. Make sure you have reliable access to the email address associated with your VoteAlly account. If you change your email, you will need to re-enable email MFA.
Note: You can only have one MFA method active at a time. To switch between authenticator app and email MFA, you must first disable the current method and then set up the new one.
Backup Codes
Backup codes are one-time-use recovery codes generated when you enable MFA. They let you log in if you lose access to your authenticator app or cannot receive email verification codes.
- Codes are shown only once after enabling MFA
- Download them as a text file or copy to clipboard
- Store in a password manager or secure physical location
- Do not store them in the same place as your password
- Enter a backup code in place of the 6-digit MFA code at login
- Codes are case-insensitive (uppercase is fine)
- Each code works exactly once, then it is permanently consumed
- Works with both authenticator app and email MFA methods
Running low on codes? To regenerate backup codes, disable MFA and immediately re-enable it. The new setup process will generate a fresh set. Your old unused codes will no longer work after the reset.
Changing Your Password
You can update your password at any time from the Security Settings page. If you signed up with Google and do not have a password yet, you can add one to enable email-and-password login alongside Google sign-in.
Password requirements:
- At least 8 characters long
- At least one uppercase letter (A-Z)
- At least one number (0-9)
- At least one special character (e.g., !@#$%^&*)
How to change your password:
- Go to Settings > Security and scroll to the Password section.
- Enter your current password (not required if you are adding a password for the first time).
- Enter your new password. The strength meter updates in real time as you type.
- Confirm the new password by typing it again.
- Click "Update Password" (or "Set Password" if this is your first one).
Tip: Use a password manager to generate and store a strong, unique password. Avoid reusing passwords from other services.
MFA Reset (for Org Owners)
If a team member is locked out of their account because they lost access to their authenticator app and have no remaining backup codes, an Organization Owner (or Super Admin) can reset their MFA remotely.
How to reset MFA for a team member:
- Go to Settings > Team in your organization's admin dashboard.
- Find the locked-out team member in the list and click their row to expand their options.
- Click "Reset MFA". You will be prompted to enter your own password to confirm the action.
- After confirmation, the team member's MFA is completely cleared. Their authenticator app connection, email verification setup, and all backup codes are removed.
- VoteAlly automatically sends an email notification to the affected team member informing them that their MFA was reset and by whom.
Important: Only Organization Owners and Super Admins can reset MFA for other users. Org Admins cannot perform this action. The reset is logged in the audit trail with the target user, the admin who performed the reset, and a timestamp.
After a reset: The team member can log in with just their password. They should immediately set up MFA again from their own Security Settings page to restore protection on their account.
Frequently Asked Questions
What happens if I lose access to my authenticator app?
You can sign in using one of the backup codes that were generated when you first enabled MFA. Each backup code can only be used once. If you have no remaining backup codes, ask your Organization Owner to reset your MFA from the team management page.
Can I switch from email MFA to an authenticator app?
Yes. First disable your current MFA method from the Security Settings page (you will need to enter your password to confirm). Then set up the new method. You cannot have both methods active at the same time.
Is MFA required for all VoteAlly admin accounts?
MFA is strongly recommended but not currently required by default. Organization Owners and Super Admins should enable it as a best practice, especially for accounts that manage elections and sensitive voter data.
How many backup codes do I get, and can I regenerate them?
You receive a set of backup codes when you first enable MFA. Each code is single-use. To get new codes, disable MFA and immediately re-enable it. The new setup process generates a fresh set of backup codes every time. Your old codes will stop working.
Does disabling MFA affect my active sessions?
Yes. When MFA is disabled, VoteAlly signs you out of all active sessions across all devices. You will need to log in again after disabling MFA.
Last updated: April 2, 2026