Skip to content
English
More support
Contact us
  • There are no suggestions because the search field is empty.

Understanding Two-Factor Authentication (2FA)

Learn when to enable Spherium.ai's built-in email-based Two-Factor Authentication

Spherium.ai provides built-in Two-Factor Authentication (2FA) for organizations that use Spherium.ai Password Login. When enabled, users are required to verify their identity with a one-time passcode (OTP) delivered to the email address associated with their Spherium.ai account before they can successfully sign in.

If your organization authenticates users through Microsoft Login, Google Login, or Custom Single Sign-On (SSO), Spherium.ai recommends leaving the built-in 2FA option disabled. These identity providers typically enforce their own Multi-Factor Authentication (MFA) policies, making an additional email-based verification unnecessary.

Before You Begin

Before enabling Two-Factor Authentication:

  • You must be assigned the Organization Administrator role.
  • Your organization must have Password Login enabled.
  • Users must have access to the email address associated with their Spherium.ai account.

How Spherium.ai Two-Factor Authentication Works

When Require 2 Factor Authentication (2FA) is enabled:

  1. A user signs in using their Spherium.ai username and password.
  2. Spherium.ai sends a one-time passcode (OTP) to the email address associated with the user's account.
  3. The user enters the OTP on the verification screen.
  4. After the OTP is successfully validated, the user is signed in.

The OTP is unique for each login attempt and expires after a short period of time to help protect your account.

When Should I Enable Two-Factor Authentication?

Spherium.ai recommends enabling the built-in 2FA feature when your organization uses Spherium.ai Password Login.

Adding an email-based verification step helps protect user accounts if a password is compromised and provides an additional layer of security for organizations that do not use an external identity provider.

Typical use cases include:

  • Organizations using Spherium.ai Password Login
  • Trial or evaluation environments
  • Small and medium-sized businesses
  • Organizations without Microsoft Entra ID, Google Workspace, or another enterprise identity provider

When Should I Leave Two-Factor Authentication Disabled?

If your organization authenticates users through any of the following providers, Spherium.ai recommends leaving the built-in 2FA option disabled:

  • Microsoft Login
  • Google Login
  • Custom Single Sign-On (SSO)

These providers typically enforce their own authentication and Multi-Factor Authentication (MFA) policies before users are authenticated by Spherium.ai.

Enabling Spherium.ai email-based 2FA in addition to your identity provider's MFA may require users to complete two authentication challenges during sign-in and generally provides little additional benefit.

Recommended Authentication Configurations

Authentication Method Enable Spherium.ai 2FA?
Password Login Yes
Microsoft Login No
Google Login No
Custom Single Sign-On (SSO) No

Best Practice: If your organization uses Microsoft Entra ID, Google Workspace, or another enterprise identity provider, configure your organization's MFA policies within that identity provider and leave Spherium.ai's built-in email-based 2FA disabled.

Frequently Asked Questions

What type of Two-Factor Authentication does Spherium.ai use?

Spherium.ai uses a one-time passcode (OTP) that is delivered to the email address associated with the user's account.

Does Spherium.ai support authenticator apps?

No. The built-in Two-Factor Authentication feature currently uses email-based one-time passcodes (OTP).

Should I enable Spherium.ai 2FA if I use Microsoft Login or Google Login?

No. Organizations using Microsoft Login, Google Login, or Custom SSO should generally rely on their identity provider's Multi-Factor Authentication (MFA) capabilities instead of enabling Spherium.ai's built-in email-based 2FA.

Can I enable multiple authentication methods?

Yes. Organizations can enable multiple authentication methods. If Password Login remains enabled, Spherium.ai recommends enabling built-in 2FA to provide additional protection for users who authenticate with a username and password.

What happens if a user cannot access their email?

The user will not be able to complete the authentication process until they regain access to the email address associated with their Spherium.ai account. Organization Administrators should ensure users maintain access to their registered email addresses.

Best Practices

  • Enable Spherium.ai Two-Factor Authentication when using Password Login.
  • Leave the built-in 2FA option disabled when using Microsoft Login, Google Login, or Custom SSO.
  • Encourage users to maintain access to the email address associated with their account.
  • Review your organization's authentication settings periodically to ensure they align with your security policies.

Related Articles

  • Configuring Authentication Settings
  • Configuring Single Sign-On (SSO)
  • Managing Organization Integrations
  • User Management