Esqase

Search documentation

Search all Esqase documentation pages

Two-factor authentication (2FA)

Two-factor authentication adds a second step to your sign-in. After you enter your email and password, Esqase also asks for a short, time-sensitive code that only you can get. This means that even if someone learns your password, they still cannot reach your firm's data without that second factor. This page explains what 2FA is, how to turn it on, how to save and use your recovery codes, what signing in looks like once it is on, and how a firm owner can require it for everyone.

Two-factor authentication aligns with the security expectations of a legal practice, including SOC 2, ISO 27001, and HIPAA. Turning it on is one of the simplest things you can do to protect your account and your clients.

Before you begin

  • Two-factor authentication is set up per person from your account settings. Turning it on affects only your own sign-in, unless your firm owner has made it a firm-wide requirement (see Require two-factor authentication for your whole firm).
  • You can secure your account with an authenticator app or with email.
  • If you choose the authenticator-app method, install an authenticator on your phone first. Common ones are Google Authenticator, Authy, and 1Password. Any app that generates 6-digit codes will work.
  • When you turn 2FA on, Esqase gives you ten recovery codes. Have somewhere safe to store them (a password manager is ideal). You will need one if you ever lose access to your authenticator or email.

Tip: The authenticator-app method works even when your phone has no signal or internet, because the codes are generated on the device itself. The email method is simpler to set up but depends on you being able to open your inbox when you sign in.

Where to find it

Your two-factor settings live in your account settings, on a tab called Security.

  1. In the bottom-left corner of the sidebar, click your name and photo to open the account menu.
  2. Click Account.
  3. In the left navigation list, click Security.

You can also reach the same place from the Settings hub: open Settings, then in the Personal group click the Security card.

📷 Screenshot: The account settings Security tab, showing the two-factor authentication status and the Enable button (when 2FA is off). Suggested image: images/account-and-firm/two-factor-security-tab.png

Turn on two-factor authentication

Enabling 2FA takes a minute. You pick a method, prove it works by entering a code once, and then save your recovery codes.

  1. Open Account > Security (see Where to find it).
  2. Click Enable.
  3. Choose how you want to receive your codes:
    • Authenticator app. Use an app on your phone (Google Authenticator, Authy, 1Password, or similar) to generate 6-digit codes.
    • Email. Receive a 6-digit code by email each time you sign in.
  4. Complete the steps for the method you picked (see the two sections below).
  5. Enter the 6-digit verification code to confirm the method is working, then save your recovery codes.

Once you finish, the Security tab shows two-factor authentication as on, along with the method you chose.

📷 Screenshot: The Enable two-factor authentication screen with the method choices: Authenticator app and Email. Suggested image: images/account-and-firm/two-factor-method-choice.png

Set up the authenticator-app method

  1. After you choose Authenticator app, Esqase shows a QR code and a secret key.
  2. Open your authenticator app and add a new account:
    • The quickest way is to scan the QR code with your app's camera.
    • If you cannot scan it, choose your app's manual-entry option and type in the secret key shown on screen instead.
  3. Your authenticator now lists Esqase and shows a 6-digit code that refreshes every 30 seconds.
  4. Back in Esqase, type the current 6-digit code into the verification field.
  5. Click the confirm button. If the code is correct, Esqase moves you on to your recovery codes.

Important: The 6-digit code in your authenticator changes every 30 seconds. If yours is about to refresh, wait for the new code and enter that one, so it does not expire while you type.

📷 Screenshot: The authenticator setup step showing the QR code, the secret key for manual entry, and the field to enter the 6-digit code. Suggested image: images/account-and-firm/two-factor-authenticator-setup.png

Set up the email method

  1. After you choose Email, Esqase sends a 6-digit code to the email address you sign in with.
  2. Open your inbox and find the message from Esqase containing the code.
  3. Back in Esqase, type the 6-digit code into the verification field.
  4. Click the confirm button. If the code is correct, Esqase moves you on to your recovery codes.

Tip: If the email does not arrive within a minute, check your spam or junk folder. You can request a fresh code if the first one expires before you enter it.

Save your recovery codes

After you confirm your method, Esqase shows ten recovery codes. These are your backup way in if you ever lose access to your authenticator app or your email. Each code works only once.

  1. Read the ten codes on the screen.
  2. Save them somewhere safe and private. You can:
    • Click Copy to copy all ten to your clipboard, then paste them into your password manager.
    • Click Download to save them as a file you keep somewhere secure.
  3. Confirm you have saved them, then finish.

Important: Your recovery codes are shown only once, right after you turn on 2FA. Esqase cannot show them to you again later. If you do not save them now, your only options if you get locked out will be to regenerate a fresh set (which requires that you can still sign in) or to ask a firm owner for help. Treat these codes like a spare key: store them somewhere only you can reach.

📷 Screenshot: The recovery-codes screen listing ten one-time codes with the Copy and Download buttons. Suggested image: images/account-and-firm/two-factor-recovery-codes.png

Tip: Do not store your recovery codes in the same place as your password where someone who finds one finds both. A password manager that you unlock separately is a good home for them.

Sign in once two-factor is on

With 2FA turned on, signing in has an extra step. After your email and password are accepted, Esqase asks for your second factor before it lets you in.

  1. Sign in with your Email and Password as usual, then click Sign in.
  2. Esqase shows the Two-step verification step and asks for your 6-digit code.
    • If you use an authenticator app, open the app and read the current code for Esqase.
    • If you use email, Esqase sends a code to your inbox. Open it and read the code. If it does not arrive, click Resend code to send a new one.
  3. Type the 6-digit code into the boxes.
  4. Esqase verifies the code and takes you to your dashboard.

📷 Screenshot: The Two-step verification sign-in step with the six code boxes, the Use a recovery code instead link, and (for the email method) the Resend code button. Suggested image: images/account-and-firm/two-factor-sign-in-challenge.png

Note: This second step is different from the one-time code you enter when you first verify a new account's email address. Email verification confirms your email belongs to you and happens once, when your account is created. The two-step verification code is a security check that happens every time you sign in while 2FA is on. See Signing up and signing in.

Use a recovery code instead

If you cannot get a code from your authenticator or email (for example, your phone is lost or you cannot reach your inbox), use one of the recovery codes you saved when you turned 2FA on.

  1. On the Two-step verification step, click Use a recovery code instead.
  2. Type one of your unused recovery codes.
  3. Esqase verifies it and signs you in.

Each recovery code works only once. Once you use one, cross it off your list. When you are running low, regenerate a fresh set from your Security settings (see Regenerate your recovery codes).

Important: If you enter the wrong code too many times in a row, Esqase stops the sign-in attempt for your protection. When that happens, start over from the sign-in page with your email and password, then enter a valid code.

Regenerate your recovery codes

If you have used several recovery codes, think your saved list may have been seen, or simply want a fresh set, you can generate ten new ones at any time. For your security, this asks for your password first.

  1. Open Account > Security.
  2. Find the recovery-codes area and click the option to regenerate your codes.
  3. Enter your password to confirm it is really you.
  4. Esqase shows a brand-new set of ten codes. Save them the same way you did before (Copy or Download).

Important: Generating a new set immediately cancels your old codes. Any recovery code from before will no longer work, so replace your saved copy with the new list right away.

📷 Screenshot: The regenerate-recovery-codes step asking for your password, followed by the new set of ten codes. Suggested image: images/account-and-firm/two-factor-regenerate-codes.png

Turn off two-factor authentication

You can turn 2FA off if you no longer want the extra step. For your security, this asks for your password first. If your firm requires 2FA, you will not be able to turn it off (see the next section).

  1. Open Account > Security.
  2. Click Turn off.
  3. Enter your password to confirm.
  4. Esqase removes the second step from your sign-in. The Security tab shows two-factor authentication as off.

Note: Turning 2FA off clears your current method and your recovery codes. If you turn it back on later, you set up a method again and receive a fresh set of recovery codes.

Set it up later from the welcome step

Right after you verify a brand-new account's email, Esqase offers an optional Set up two-factor authentication step so you can secure your account from day one.

  • To turn it on now, follow the on-screen prompts (the same method choice and verification as above).
  • To do it another time, click Skip for now. You can always turn it on later from Account > Security.

Tip: Even if you skip it during setup, turning 2FA on soon afterward is one of the best ways to protect your account. We recommend coming back to Account > Security when you have your authenticator app or inbox handy.

Require two-factor authentication for your whole firm

Firm owners can make two-factor authentication mandatory for everyone in the firm. When this is on, every member must have 2FA enabled before they can keep working in the firm.

  1. In the sidebar, open Settings, then Profile.
  2. Find the Security section.
  3. Turn on Require two-factor authentication.
  4. Save your change.

After you turn this on, any member who has not yet set up 2FA is prompted to enroll before they can continue using the firm. Members who already have it on are unaffected. While the requirement is in place, members cannot turn their own 2FA off.

Important: Only firm owners can change this setting. Make sure your team knows it is coming, since members without 2FA will be asked to set it up the next time they use the firm. Point them to this page so they have their authenticator app or inbox ready.

📷 Screenshot: The Security section on Settings > Profile showing the Require two-factor authentication toggle (owner only). Suggested image: images/account-and-firm/firm-require-two-factor.png

See who has two-factor authentication on

Owners and administrators can see, at a glance, which members have 2FA enabled from the Members area.

  • On the Members list (Settings > Members), a 2FA column shows an Enabled badge next to each member who has it on.
  • On a member's detail page, the Two-factor authentication line reads Enabled or Not enabled.

For more on the Members area, see Managing firm members.

Common questions

Which method should I choose? The authenticator-app method is the most resilient, because it keeps working without signal or internet and does not depend on your inbox. The email method is simpler to set up. Either is a big step up from a password alone.

I lost my phone with my authenticator app. How do I get in? Use a recovery code on the Two-step verification step (click Use a recovery code instead). Once you are back in, open Account > Security, turn 2FA off and on again to set up a method on your new phone, and save the fresh recovery codes. If you have no recovery codes left either, ask a firm owner for help.

I ran out of recovery codes. While you can still sign in, open Account > Security and regenerate a fresh set of ten (this requires your password). Do this before you run out so you are never locked out.

Do I have to enter a code every single time? Yes. While 2FA is on, the second step is part of every sign-in. This is what keeps a stolen password from being enough to get in.

Can I turn it off? Yes, from Account > Security (it asks for your password), unless your firm owner has made 2FA a firm-wide requirement, in which case it must stay on.