Skip to main content

Two-Factor Authentication

Hackers: Two-factor authentication (2FA) setup instructions

Updated this week

Important: As of July 29, 2025, two-factor authentication (2FA) will be required for all users of the HackerOne Platform when SSO/SAML is not in use.

  • 2FA will be mandatory for all users who do not sign in using SSO/SAML

  • 2FA setup will rely on TOTP-based apps (e.g., Google Authenticator, Duo Mobile)

  • Account recovery alerts will no longer require a phone number, but it can still be optionally configured

  • Backup codes are provided and required to recover access in the event you lose access to your 2FA device

Two-factor authentication (2FA) enables you to add an extra layer of protection from getting your account compromised. You can set up two-factor authentication using any device capable of generating time-based one-time password (TOTP) authentication codes to log in to your HackerOne account. You can use Google Authenticator, Duo Mobile, or any other compatible application to generate the codes.

Setup

To set up two-factor authentication for your profile:

  1. Go to your profile settings by clicking on your profile in the top right corner and then selecting User settings.

  2. Click Security.

  3. Click Turn on to enable 2FA.

  4. Open your authentication app and click Add device or scan the QR code on your HackerOne screen.

    1. Tip: You can enter your secret key manually if you can't scan the QR code.

  5. Click Next.

  6. Save your backup codes.

    1. Important: This is the only time you will be able to do this. If you lose them, you will have to generate new ones.

  7. Click Next.

  8. Enter your verification code from your 2FA app, one of the backup codes, and your account password as prompted.

  9. Click Save.

Once your two-factor authentication has been verified, when you log into HackerOne, you’ll be prompted to enter a 6-digit verification code from your authentication application. You must enter the verification code to log into HackerOne successfully.

Account Recovery

When logging in, you will be asked for your authentication code. You can generate this code from an authentication app. However, if you do not have access to an authenticator, you can use one of the backup codes generated during the 2FA set-up.

To use the backup codes instead:

  1. Click Use a backup code

  2. Enter the backup code

  3. Click Verify

If you do not have access to your authenticator app and can’t find your backup codes, contact HackerOne Support.

Regenerating Codes

  1. To regenerate your codes, go to Profile settings

  2. Go to Security

  3. Click Regenerate

  4. Store your backup codes

  5. Put in your password, one of the new backup codes, and a code from the authenticator

    1. This code can still be used again; this does not count as one of the uses

  6. Click Save

Did this answer your question?