HackerOne

Starting <b>July 29, 2025</b>, HackerOne will require <a href="https://docs.hackerone.com/en/articles/8505330-two-factor-authentication">two-factor authentication (2FA) </a>for all platform users. Those who do not set up 2FA by this time will be locked out of their accounts.

2FA will be mandatory for all HackerOne users unless signing in using SSO/SAML.

Account recovery alerts will no longer require a phone number, but it can still be optionally configured

Backup codes are critical for access recovery in the event you lose access to your 2FA device

2FA setup will rely on TOTP-based apps (e.g., Google Authenticator, Duo Mobile)

- 2FA will be mandatory for all HackerOne users unless signing in using SSO/SAML.
- Account recovery alerts will no longer require a phone number, but it can still be optionally configured
- Backup codes are critical for access recovery in the event you lose access to your 2FA device
- 2FA setup will rely on TOTP-based apps (e.g., Google Authenticator, Duo Mobile)

To set up 2FA on your devices, follow the instructions detailed <b><a href="https://docs.hackerone.com/en/articles/8505330-two-factor-authentication">here</a>.</b>

Why is 2FA now required for all researchers?

Security risk reduction: To better keep you and your vulnerability data secure. 2FA is standard across similar platforms. We’re aligning with those expectations to protect accounts and sensitive findings.

Government compliance: Programs operating within strict regulatory environments often cannot use SSO due to internal constraints and require robust, device-independent MFA enforcement.

Better account recovery: Recovery can be difficult if you’re ever in a restricted environment or without phone access. Enforcing platform-native 2FA provides a more reliable method for account access and support.

- Security risk reduction: To better keep you and your vulnerability data secure. 2FA is standard across similar platforms. We’re aligning with those expectations to protect accounts and sensitive findings.
- Government compliance: Programs operating within strict regulatory environments often cannot use SSO due to internal constraints and require robust, device-independent MFA enforcement.
- Better account recovery: Recovery can be difficult if you’re ever in a restricted environment or without phone access. Enforcing platform-native 2FA provides a more reliable method for account access and support.

2FA is now mandatory. If you do not set up 2FA by July 29, 2025, you will be prompted to complete the setup before accessing the platform and submitting reports. If you already use 2FA, you’re good to go.

- Authentication methods will include time-based one-time password (TOTP) apps (e.g., Google Authenticator, Duo Mobile, etc.). 

Account recovery will now be possible with backup codes only, reducing dependency on mobile access.

- 2FA is now mandatory. If you do not set up 2FA by July 29, 2025, you will be prompted to complete the setup before accessing the platform and submitting reports. If you already use 2FA, you’re good to go.
  - Authentication methods will include time-based one-time password (TOTP) apps (e.g., Google Authenticator, Duo Mobile, etc.). 
- Account recovery will now be possible with backup codes only, reducing dependency on mobile access.

There will be no impact on report submissions via API. 

What happens to my access to programs that require 2FA?

There will be no change for these programs. 

I lost access to my backup codes. How can I recover my account?

It is paramount to ensure you maintain access to your 2FA device at all times. It is also your responsibility to securely store the backup codes we provide you. If you’re not sure where they are, we recommend <a href="https://docs.hackerone.com/en/articles/8505330-two-factor-authentication">following these steps</a> to regenerate them now. In the unfortunate event that you lose access to both, please contact HackerOne support. 

I lost the ability to reset the 2FA after providing a valid email and password. Why?

This is by design. However, you can access your account with one of the backup codes. If you do not have these, you can also contact the support team. 

How often will I need to supply an authentication code? (Can I “remember this device”?) 

You will be required to enter a time-based one-time password (TOTP) code each time you log in as part of the 2FA process.

Will I get a warning before I am forced to set up 2FA?

Yes, you will receive a number of notifications before you are forced to complete 2FA setup. 

2FA FAQs for Researchers

Find answers and get help from Intercom Support and Community Experts

This site employs cookies and other technologies that we and our third party vendors use to monitor and record personal information about you and your interactions with the site (including content viewed, cursor movements, screen recordings, and chat contents) for the purposes described in our Cookie Policy. By continuing to visit our site, you agree to our {websiteTermsLink}, {privacyPolicyLink} and {cookiePolicyLink}.

This site uses cookies and similar technologies ("cookies") as strictly necessary for site operation. We and our partners also would like to set additional cookies to enable site performance analytics, functionality, advertising and social media features. See our {cookiePolicyLink} for details. You can change your cookie preferences in our Cookie Settings.

We use cookies to make our site work and also for analytics and advertising purposes. You can enable or disable optional cookies as desired. See our {cookiePolicyLink} for more details.

Advertising cookies are set by our advertising partners to collect information about your use of the site, our communications, and other online services over time and with different browsers and devices. They use this information to show you ads online that they think will interest you and measure the ads' performance. Social media cookies are set by social media platforms to enable you to share content on those platforms, and are capable of tracking information about your activity across other online services for use as described in their privacy policies.

These cookies enable the website to provide enhanced functionality and personalisation. They may be set by us or by third party providers whose services we have added to our pages. If you do not allow these cookies then some or all of these services may not function properly.

These cookies are necessary for the website to function and cannot be switched off in our systems.

These cookies allow us to count visits and traffic sources so we can measure and improve the performance of our site. They help us to know which pages are the most and least popular and see how visitors move around the site.

You have the right to opt out of the sale of your personal information. See our {cookiePolicyLink} for more details about how we use your data.

Your Privacy Choices

We use cookies to enhance your experience. You can customize your cookie preferences below. See our {cookiePolicyLink} for more details.

Cookie Settings

Link, Press control-option-right-arrow to exit

Empty Help Center

Uh oh. That page doesn’t exist.

Disappointed

Neutral

Smiley

Thinking...

Searching through sources...

Analyzing...

Tickets submitted through the messenger or by a support agent in your conversation will appear here.

2FA FAQs for Researchers

What is changing?

How do I set up 2FA?