Multi-factor authentication (MFA) adds an extra level of security to your account. This feature is currently optional and available for all plan types. However, it's not accessible for Assistants (a Pro plan feature) or guest accounts.
Our MFA technique uses a method called 'time-based one-time password (TOTP)'. This means that when you log in, in addition to your email (or account nickname) and login password, you'll also need to enter a unique one-time code that changes every 30 seconds. This code is generated by an authenticator app you have installed on your device.
- Enable MFA
- New to authenticator apps
- iOS Passwords (Settings App)
- How to use backup codes
- Regenerate backup codes
- Disable MFA
- Lost access to MFA token and backup codes
Enable MFA.
Visit your Account Settings to enable MFA. Select the profile icon in the upper-right corner of your account > Account Settings > Me > Account, then scroll down to the MFA section.
Click on the Get Started button.
Step 1.
Once you click Get Started, open your favorite authenticator app.
Step 2.
While in your authenticator app, scan the QR code. This will allow your authenticator app to generate a one-time code you'll enter in Step 3 to activate MFA.
If you're unable to scan the QR code, as an alternative you have the option to type in the code shown below the QR code.
New to authenticator apps? There are a variety to choose from such as 1Password, Google Authenticator, Authy, etc.
Step 3.
Once you've scanned the QR code and saved the changes, you should now see a one-time code in your auth app for your SmugMug login. Enter that one-time code into the box in Step 3.
Click on Activate.
Next, you'll be provided with eight, single-use, backup codes. Store these in a safe place! If you lose access to your authenticator app, these single-use backup codes allow you to still log in. It's very important to save these in a safe place.
After you've saved the backup codes in a secure place, click on Got It, and you're all set! MFA is now enabled on your account.
Next time you log in to your SmugMug account, you'll first enter your email address (or account nickname) and password.
Followed by your one-time code from your authenticator app.
iOS Passwords (Settings App).
Trouble finding your one-time code after enabling MFA? If you're on an iOS device, and you used your device's camera to scan the QR Code when enabling the feature, but not while in an authenticator app, your MFA was not set up using an authenticator app. Instead it was set up using Apple's one-time password feature found in the Settings app. This iOS feature can serve as an authenticator app with providing one-time codes.
This may cause confusion and we recommend checking out the article here from Apple on their feature.
How to use backup codes.
When setting up MFA the first time, you're provided with eight, single-use, backup codes to use in the event you lose access to your authenticator app. These codes can only be used one time each.
As you log in to your account with your email address (or account nickname) and password, next you'll enter one of the single-use backup codes instead of the one-time code from your authenticator app.
If you've only temporarily lost access to your authenticator app, once you are logged in, you can regenerate the backup codes to have eight new codes. However, if you've permanently lost access to your authenticator app, once you are logged into your SmugMug account, you'll want to consider disabling MFA so that you can set up it up again with a new authenticator app.
Regenerate backup codes.
These backup codes can be regenerated when you're logged in to your SmugMug account. Friendly reminder: be sure you back up the new codes in a safe place because all previous backup codes will be invalid after using the regenerate option.
To regenerate the codes, visit your Account Settings and click on the button to Regenerate Backup Codes.
Disable MFA.
You'll need to be logged in to your SmugMug account to disable MFA. Navigate to your Account Settings > Me > Account and click on the Disable button in the MFA section.
Lost access to MFA authenticator app and backup codes.
If you lose access to your authenticator app, and also lose your single-use backup codes, you'll need to reach out to our Support Heroes for assistance. An account verification process will be followed for the privacy and security of any account in order to have MFA disabled on your account so you can log in and set up MFA again.