What is changing?
Starting July 29, 2025, HackerOne is making two-factor authentication (2FA) mandatory for all platform users not using SSO/SAML. If you're using SSO/SAML, this change won’t affect you. If you have not configured 2FA by July 29, 2025, you will be prompted to complete the setup on this date before proceeding onto the platform.
2FA will be mandatory for all users who do not sign in using SSO/SAML
2FA setup will rely on TOTP-based apps (e.g., Google Authenticator, Duo Mobile)
Account recovery alerts will no longer require a phone number, but it can still be optionally configured
Backup codes are provided and required to recover access in the event you lose access to your 2FA device
How do I set up 2FA?
To set up 2FA on your devices, follow the instructions detailed here.
How is this different from what is offered today?
Today, 2FA is optional. Any user can set it up using a TOTP-compatible app like Google Authenticator or Duo Mobile. Additionally, program owners can enforce 2FA for researchers on a per-program basis, requiring it only when submitting reports to their programs.
From July 29, 2025, all HackerOne users who do not log in using SSO/SAML will be prompted to complete the 2FA setup.
This shifts 2FA from a configurable option to a platform-wide requirement in order to strengthen account security and reduce access risks for everyone.
Why is 2FA now mandatory (unless using SSO/SAML)?
We’re requiring two-factor authentication (2FA) for all customer accounts not using SSO/SAML to better protect sensitive vulnerability data and align with industry best practices.
Security standards: 2FA is a baseline requirement for security platforms today. Enforcing it helps reduce the risk of unauthorized access.
Compliance-ready: Some of our most security-conscious customers can’t use SSO and rely on strong, device-independent MFA to meet internal and government compliance requirements.
Improved recovery: Many users struggle with account recovery when mobile devices are inaccessible, especially in restricted environments. Enforcing platform-based 2FA makes access more resilient and less dependent on mobile hardware.
How does this impact customers?
It enforces 2FA for all users in organizations when SSO/SAML is not in use.
There is no longer a dependency on mobile numbers for recovery—users can recover access using backup codes generated during 2FA set up.
What happens if I don't configure 2FA in time?
If SSO/SAML is not offered through your organization, you will be prompted to complete 2FA setup before proceeding to the platform. If you are using SSO/SAML, you will be able to access the platform like you did before.
What if I don't want to use 2FA?
You can contact your administrator to configure SSO/SAML for your organization; however, until SSO/SAML is in use, you will need to sign in using 2FA. Click here to find out which providers are supported with the HackerOne platform.
I lost access to my backup codes. How can I recover my account?
It is paramount to ensure you maintain access to your 2FA device at all times. It is also your responsibility to securely store the backup codes we provide you. If you’re not sure where they are, we recommend following these steps to regenerate them now. In the unfortunate event that you lose access to both, please contact HackerOne support.
I lost the ability to reset the 2FA after providing a valid email and password. Why?
This is by design. However, you can access your account with one of the backup codes. If you do not have these, you can also contact the support team.
How often will I need to supply an authentication code? (Can I “remember this device”?)
You will be required to enter a time-based one-time password (TOTP) code each time you log in as part of the 2FA process.
Will I get a warning before I am forced to set up 2FA?
Yes, you will receive a number of notifications before you are forced to complete 2FA setup.