WebAuthn & MFA
MergeGuide supports WebAuthn/passkeys and TOTP-based multi-factor authentication on all plans. Admins can enforce MFA org-wide.Supported MFA Methods
| Method | Type | Notes |
|---|---|---|
| Security keys (YubiKey, etc.) | WebAuthn hardware | Phishing-resistant |
| Platform authenticators | WebAuthn built-in | Face ID, Touch ID, Windows Hello |
| TOTP apps | Time-based OTP | Google Authenticator, Authy, 1Password |
| Backup codes | Recovery | One-time use, 8 codes per account |
Registering a Security Key (YubiKey)
Hardware security keys (YubiKey 5, Google Titan, etc.) are the strongest MFA option. They are phishing-resistant because authentication is bound to the specific origin.Go to security settings
Go to Account Settings > Security > Multi-Factor Authentication > Add Security Key.
Name your key
Enter a descriptive name (e.g., “YubiKey 5 NFC — desk”) to identify this authenticator later.
Insert and tap the key
When prompted, insert your YubiKey into a USB port (or hold it near your NFC reader for NFC models) and touch the gold contact. The browser handles the WebAuthn ceremony.
Registering a Platform Authenticator
Platform authenticators are built into your device: Face ID and Touch ID on Apple devices, Windows Hello on Windows 10/11, and biometric sensors on Android. They create a passkey that is synced via iCloud Keychain, Google Password Manager, or Windows credentials.Go to security settings
Go to Account Settings > Security > Multi-Factor Authentication > Add Passkey.
Authenticate with your device
Your browser prompts you to authenticate with the device’s built-in method (Face ID, fingerprint, PIN, etc.).
Setting Up TOTP
Time-based one-time passwords work with any authenticator app (Google Authenticator, Authy, 1Password, Bitwarden, Microsoft Authenticator).Go to security settings
Go to Account Settings > Security > Multi-Factor Authentication > Set Up Authenticator App.
Scan the QR code
Scan the displayed QR code with your authenticator app. If you cannot scan it, use the manual entry key shown below the QR code.
Enter the verification code
Enter the 6-digit TOTP code shown in your app to confirm successful setup.
Backup Codes
Backup codes are generated when you first enable MFA. Each code is single-use. To view or regenerate codes: Account Settings > Security > Multi-Factor Authentication > Backup Codes > View.Managing Registered Authenticators
View and remove authenticators at Account Settings > Security > Multi-Factor Authentication. To remove an authenticator:- Click Remove next to the authenticator
- Confirm removal by completing an authentication challenge with another registered method
Admin: Enforce MFA
Organization Owners and Admins can require MFA for all members.- Go to Settings > Security > Authentication
- Enable Require multi-factor authentication
- Set a Grace period — members have this many hours to enroll before being locked out (minimum 1 hour, maximum 7 days)
- New members must enroll in MFA before accessing any dashboard features
- Existing members who have not enrolled are redirected to the MFA setup flow on next sign-in
- Members who do not enroll within the grace period are suspended until they complete enrollment
MFA enforcement does not apply to SSO-only users if your IdP handles MFA. If you use SAML or OIDC SSO, enforce MFA at the IdP level instead.
Troubleshooting
Security key not recognized
- Verify your browser supports WebAuthn (Chrome, Firefox, Safari, Edge — all current versions do)
- Try a different USB port or use NFC if your key supports it
- On Linux, some USB security keys require a udev rule:
SUBSYSTEM=="usb", ATTR{idVendor}=="1050", TAG+="uaccess"