Skip to main content

Overview

Two-Factor Authentication (2FA) adds an essential layer of security to your WALT Carbon account by requiring both your password and a secondary verification method. This is a mandatory security requirement for all production environments.
Security Requirement: 2FA must be enabled for all admin accounts and is strongly recommended for all users before accessing production data.

Why 2FA is Critical

WALT Carbon manages sensitive financial and operational data about your GCP infrastructure. 2FA protects against:
  • Account compromise from stolen or weak passwords
  • Unauthorized access to cost data and recommendations
  • Security breaches that could expose your cloud infrastructure
  • Compliance violations in regulated industries

Supported 2FA Methods

WALT Carbon supports multiple 2FA methods to fit your organization’s security policies:

Authenticator Apps

Recommended Method
  • Google Authenticator
  • Microsoft Authenticator
  • Authy
  • 1Password

SMS Text Messages

Backup Method
  • Works with any mobile phone
  • Less secure than authenticator apps
  • Subject to SIM swapping attacks

Hardware Keys

Highest Security
  • YubiKey devices
  • Google Titan Keys
  • FIDO2 compatible devices

Backup Codes

Recovery Method
  • One-time use codes
  • Store securely offline
  • Use when primary method unavailable

Step 1: Enable 2FA on Your Account

Initial Setup

  1. Access Security Settings
    • Log in to your WALT Carbon account
    • Navigate to Account > Security Settings
    • Click Enable Two-Factor Authentication
  2. Choose Your Primary Method
    • Select Authenticator App (recommended)
    • Or choose SMS if authenticator apps aren’t available
  3. Complete Setup
    • Follow the method-specific instructions below
    • Test the setup before saving
If you’re setting up 2FA for the first time, you’ll be required to verify your current password before proceeding.
1

Download Authenticator App

Install one of these apps on your mobile device:
  • Google Authenticator (iOS/Android)
  • Microsoft Authenticator (iOS/Android)
  • Authy (iOS/Android/Desktop)
  • 1Password (iOS/Android/Desktop)
2

Scan QR Code

  • Open your authenticator app
  • Tap “Add Account” or ”+”
  • Scan the QR code displayed in WALT Carbon
  • Or manually enter the setup key if scanning isn’t available
3

Enter Verification Code

  • Your app will generate a 6-digit code
  • Enter this code in WALT Carbon
  • Click Verify and Enable
4

Save Backup Codes

  • Download and securely store your backup codes
  • These are needed if you lose access to your authenticator app
  • Store them in a secure location separate from your device

Method 2: SMS Setup

1

Enter Phone Number

  • Select your country code
  • Enter your mobile phone number
  • Ensure you can receive SMS messages
2

Verify Phone Number

  • Click Send Verification Code
  • Enter the 6-digit code received via SMS
  • Click Verify Phone Number
3

Complete Setup

  • Test the SMS delivery with another verification
  • Save your backup codes
  • Click Enable 2FA
SMS-based 2FA is less secure than authenticator apps and should only be used if app-based authentication isn’t possible.

Method 3: Hardware Key Setup

1

Connect Hardware Key

  • Insert your hardware security key (USB/NFC)
  • Ensure it’s compatible with FIDO2/WebAuthn standards
  • Popular options: YubiKey 5, Google Titan Security Key
2

Register Key

  • Click Add Hardware Key
  • Follow your browser’s prompts to register the key
  • You may need to touch or press the key when prompted
3

Name Your Key

  • Give your key a descriptive name
  • Example: “Primary YubiKey” or “Office Security Key”
  • This helps identify keys if you have multiple
4

Test and Backup

  • Test the key by logging out and back in
  • Set up a backup method (authenticator app or backup codes)
  • Register additional keys if desired

Step 2: Configure Backup Methods

Set Up Multiple 2FA Methods

For maximum security and reliability, configure multiple methods:
Recommended Setup
  • Primary: Authenticator app
  • Backup: Hardware key or SMS
  • Recovery: Backup codes

Managing Backup Codes

Generating Codes
  1. Go to Security Settings > Two-Factor Authentication
  2. Click Generate New Backup Codes
  3. Download the codes or copy them to a secure location
Storage Best Practices
  • Print codes and store in a secure physical location
  • Save encrypted copies in password managers
  • Never store codes on the same device as your authenticator app
  • Don’t share codes via email or messaging apps
When to Regenerate
  • After using several backup codes
  • If you suspect codes have been compromised
  • During regular security reviews (quarterly)
Regeneration Process
  1. Access Security Settings
  2. Click Regenerate Backup Codes
  3. Old codes will be invalidated immediately
  4. Download and securely store new codes
Emergency Access
  • Use backup codes only when primary/backup methods fail
  • Each code can only be used once
  • Monitor remaining codes and regenerate when running low
Usage Steps
  1. Enter your username and password
  2. When prompted for 2FA, click Use Backup Code
  3. Enter one of your backup codes
  4. Immediately set up a new primary 2FA method

Step 3: Organization-Wide 2FA Policies

Admin Configuration

For organization administrators:
  1. Enforce 2FA Requirements
    • Navigate to Admin > Security Policies
    • Enable Require 2FA for all users
    • Set enforcement timeline (recommended: 30 days)
  2. Configure Method Restrictions
    • Disable SMS if your security policy requires it
    • Require hardware keys for privileged accounts
    • Set up approved authenticator app list
  3. Set Up Recovery Procedures
    • Define process for users locked out of accounts
    • Designate admin users who can reset 2FA
    • Document emergency access procedures

User Onboarding

1

Communication

  • Notify all users about 2FA requirement
  • Provide setup instructions and support resources
  • Set clear deadline for compliance
2

Training

  • Schedule training sessions for less technical users
  • Provide written guides and video tutorials
  • Set up help desk support for setup assistance
3

Monitoring

  • Track 2FA adoption rates
  • Follow up with users who haven’t enabled 2FA
  • Monitor for setup issues and provide assistance
4

Enforcement

  • Begin enforcement on scheduled date
  • Provide grace period with warnings
  • Lock accounts that don’t comply with policy

Step 4: Testing and Verification

Test Your 2FA Setup

Before relying on 2FA, thoroughly test all methods:
  1. Log out of WALT Carbon completely
  2. Log back in with username/password
  3. Use authenticator app code when prompted
  4. Verify successful login
  5. Test with different devices/browsers

Verification Checklist

1

✅ Primary Method Working

Can log in using primary 2FA method (authenticator app/hardware key)
2

✅ Backup Method Working

Can log in using backup method (SMS/second device)
3

✅ Backup Codes Secure

Backup codes downloaded and stored securely offline
4

✅ Recovery Process Clear

Understand how to regain access if primary methods fail
5

✅ Team Informed

Other team members know about 2FA requirement and setup process

Troubleshooting Common Issues

Problem: Codes not working or app not generating codesSolutions:
  • Check device time synchronization (must be accurate)
  • Ensure app is updated to latest version
  • Re-scan QR code or re-enter setup key
  • Try entering code immediately after it refreshes
  • Verify you’re using the correct account in multi-account apps
Problem: Not receiving SMS verification codesSolutions:
  • Check phone number is entered correctly with country code
  • Ensure SMS is not blocked by carrier or device settings
  • Try requesting code multiple times (may be delayed)
  • Check if phone number changed or device replaced
  • Consider switching to authenticator app method
Problem: Hardware key not recognized or not workingSolutions:
  • Ensure key is properly inserted/connected
  • Try different USB port or use NFC if available
  • Update browser to latest version (WebAuthn support required)
  • Test key on different device to isolate issue
  • Check if key needs firmware update
Problem: Locked out of account due to 2FA issuesSolutions:
  • Use backup codes if available
  • Try alternative 2FA method (SMS if app fails, etc.)
  • Contact support with account verification details
  • Admin users can reset 2FA for team members
  • Follow organization’s account recovery procedures

Best Practices

2FA Security Best Practices
  1. Use Authenticator Apps: More secure than SMS
  2. Set Up Multiple Methods: Don’t rely on single method
  3. Secure Backup Codes: Store offline in secure location
  4. Regular Reviews: Check and update 2FA settings quarterly
  5. Device Management: Remove old devices and unused methods
  6. Stay Updated: Keep authenticator apps and browsers updated
  7. Train Your Team: Ensure everyone understands proper 2FA usage

Advanced Security Features

Session Management

After enabling 2FA, configure session security:
  • Session Timeout: Set automatic logout after inactivity
  • Device Trust: Remember trusted devices for convenience
  • Geographic Restrictions: Block logins from unexpected locations
  • Concurrent Sessions: Limit number of simultaneous logins

Integration with SSO

If your organization uses Single Sign-On:
  1. SAML Integration: Configure 2FA with your identity provider
  2. OAuth/OIDC: Set up 2FA enforcement in OAuth flows
  3. Directory Sync: Sync 2FA status with Active Directory/LDAP
  4. Policy Inheritance: Inherit 2FA policies from corporate identity systems

Next Steps

After completing 2FA setup:
  1. Configure Security Scanning to protect your GCP resources
  2. Set up BigQuery Analytics for advanced reporting
  3. Review User Management settings and team access
  4. Enable Additional Security Features like IP restrictions

Support

Need help with 2FA setup?
  • 📧 Security support: [email protected]
  • 💬 Live chat: Available in platform help center
  • 📞 Emergency access: Contact your account manager
  • 📚 Video tutorials: Access in Security Settings help section
Never share your 2FA codes, backup codes, or authenticator app access with anyone. WALT Carbon support will never ask for your 2FA codes.