Skip to main content

Multi-Factor Authentication

Multi-factor authentication (MFA) adds an essential layer of security to your Guardian Pro account. With MFA enabled, signing in requires both your password and a time-based verification code from an authenticator app, making it significantly harder for unauthorized users to access your account even if your password is compromised.

Why MFA Matters

Guardian Pro provides access to sensitive information about your AWS infrastructure -- security findings, resource configurations, cost data, and the ability to remediate issues. Protecting access to this information is critical.

Risk Without MFAProtection With MFA
A compromised password grants full access to your Guardian Pro accountA compromised password alone is not sufficient -- the attacker also needs your physical device
Phishing attacks can capture credentialsTime-based codes expire every 30 seconds, limiting the window for credential reuse
Shared or weak passwords create vulnerabilityEven a weak password is protected by the second factor
tip

Guardian Pro strongly recommends enabling MFA for all users, especially those with remediation permissions. Enterprise plans can enforce MFA as an organizational policy.

Setting Up MFA

Prerequisites

You need an authenticator app installed on your mobile device. Guardian Pro supports any TOTP-compatible (Time-based One-Time Password) authenticator app, including:

  • Google Authenticator (iOS / Android)
  • Microsoft Authenticator (iOS / Android)
  • Authy (iOS / Android / Desktop)
  • 1Password (iOS / Android / Desktop)

Enable MFA

  1. Sign in to Guardian Pro with your existing credentials.
  2. Navigate to your profile settings by clicking your name or avatar in the top-right corner.
  3. Select Security or MFA Settings.
  4. Click Enable MFA.
  5. A QR code is displayed on screen.
  6. Open your authenticator app and scan the QR code.
  7. Enter the 6-digit verification code from your authenticator app into Guardian Pro.
  8. Click Verify and Enable.
info

If you cannot scan the QR code (for example, if you are using a desktop authenticator), click Show secret key to reveal a text-based setup key that you can enter manually into your authenticator app.

Backup and Recovery

When you enable MFA, Guardian Pro provides recovery codes. These are one-time-use codes that allow you to regain access if you lose your authenticator device.

caution

Save your recovery codes in a secure location immediately. Each recovery code can only be used once. If you lose both your authenticator device and your recovery codes, you will need to contact support to regain access to your account.

Best practices for recovery codes:

  • Store them in a password manager.
  • Print a physical copy and store it securely.
  • Do not store them in the same location as your password.
  • Do not share them with anyone.

Signing In with MFA

Once MFA is enabled, the sign-in process adds one additional step:

  1. Navigate to the Guardian Pro login page.
  2. Enter your email and password as usual.
  3. You are prompted for a verification code.
  4. Open your authenticator app and enter the current 6-digit code.
  5. Click Verify to complete sign-in.
note

Verification codes refresh every 30 seconds. If a code does not work, wait for the next code to appear in your authenticator app. Also ensure that your device's clock is synchronized -- time-based codes depend on accurate system time.

Managing MFA

Disabling MFA

If you need to disable MFA (for example, when switching authenticator apps):

  1. Navigate to your profile settings > Security.
  2. Click Disable MFA.
  3. Enter a current verification code from your authenticator app to confirm.
  4. MFA is disabled immediately.
caution

Disabling MFA reduces the security of your account. If you are switching authenticator apps, disable MFA and then immediately re-enable it to register the new app.

Resetting MFA

If you have lost access to your authenticator app and have recovery codes:

  1. On the login page, enter your email and password.
  2. When prompted for the MFA code, click Use a recovery code.
  3. Enter one of your saved recovery codes.
  4. After signing in, navigate to profile settings > Security.
  5. Disable the current MFA configuration and set up a new one.

Lost Access Without Recovery Codes

If you have lost both your authenticator device and your recovery codes:

  1. Contact Guardian Pro support from the email address associated with your account.
  2. Support will verify your identity through your organization's administrator.
  3. Once verified, your MFA will be reset and you can set it up again.
info

Identity verification for MFA resets typically requires confirmation from an organization administrator. This safeguard prevents unauthorized MFA resets.

Organizational MFA Policies

Enforcing MFA (Enterprise)

Enterprise plan administrators can enforce MFA across their entire organization:

  1. Navigate to Settings > Organization.
  2. Under Security Policies, enable Require MFA for all users.
  3. All users without MFA enabled will be prompted to set it up on their next login.
  4. Users will not be able to bypass the MFA setup requirement.

Monitoring MFA Adoption

Administrators can view which users have MFA enabled:

  1. Navigate to Settings > Users.
  2. The user list shows an MFA status column indicating whether each user has MFA enabled.

When a new user is invited to your Guardian Pro organization:

  1. They receive an invitation email with a link to create their account.
  2. After setting their password, they are prompted to set up MFA (if your organization requires it).
  3. If MFA is optional, they can skip setup initially and enable it later from their profile.

Troubleshooting

Code Not Accepted

  • Ensure your device's clock is accurate. Time-based codes require the device clock to be within a few seconds of the actual time.
  • Wait for the next code to appear (codes refresh every 30 seconds).
  • If using a manual secret key, verify it was entered correctly in your authenticator app.

Lost Authenticator Device

  • Use one of your saved recovery codes to sign in.
  • After signing in, disable the old MFA and set up a new one with your replacement device.
  • If you have no recovery codes, contact support.

Multiple Guardian Pro Accounts

If you have multiple Guardian Pro accounts (for example, across different organizations), ensure your authenticator app labels each entry clearly so you use the correct code for each account.

Next Steps