Skip to content

Setting Up Multi-Factor Authentication

Multi-factor authentication (MFA) adds a second layer of security to your Synderys account. After entering your password, you must verify your identity using a separate device — either an authenticator app or a hardware security key.

All Synderys accounts are required to have at least one MFA method enrolled.

Automatic Enrollment on First Sign-In

If your account does not yet have any MFA method enrolled, you do not need to do anything in advance. The next time you sign in at https://auth.synderys.com, you will be guided through enrollment automatically:

  1. Type your username and password as usual.
  2. Instead of being signed in straight away, the page will switch to an enrollment screen that asks you to add a second factor.
  3. You will be offered a choice between:
    • Authenticator app (TOTP) — recommended if you have a smartphone. The screen shows a QR code; scan it with an app like Authy, Google Authenticator, Microsoft Authenticator, or the password-manager app you already use (such as 1Password or Bitwarden), then type the 6-digit code back into the page.
    • Security key (WebAuthn / passkey) — recommended if you have a hardware key (YubiKey 5 series or newer, Feitian, Google Titan, etc.) or a device with a built-in passkey (Mac with Touch ID, iPhone with Face ID, Windows Hello laptop, Android phone). When prompted, insert the key and touch it, or complete the biometric check on your device.
  4. Once enrollment finishes, you are signed in and sent on to whichever application you were trying to reach.

You only have to do this once. After your factor is enrolled, every later sign-in just asks for it as your second step.

What if I cancel partway through?

If you close the browser tab or click away during enrollment, no factor is created — just visit https://auth.synderys.com again and you will be re-prompted from the start. Nothing is broken; you simply have not finished signing in yet.

Choosing between TOTP and a security key

Both options are accepted everywhere at Synderys.

  • Pick TOTP if you only have a phone — it is quick to set up and works offline.
  • Pick a security key if you have a YubiKey or a phone/laptop that supports Face ID / Touch ID / Windows Hello — it is faster on every later sign-in and unlocks passwordless sign-in too.

You can always add the other method later from your Settings page (see "Adding Backup Methods" below). We recommend enrolling at least two methods so you are never locked out.

Manually Enrolling Additional Methods

The sections below cover how to add or change MFA methods from your account settings — for example, adding a second method as a backup, or replacing a lost device.

Option 1: Authenticator App (TOTP)

Use an authenticator app such as Google Authenticator, Authy, or Microsoft Authenticator to generate time-based one-time passwords.

Enrollment Steps

  1. Sign in to your account at https://auth.synderys.com using your username and password.

  2. Click your profile icon in the top-right corner and select Settings.

  3. Navigate to the MFA Devices section and click Enroll Authenticator App.

  4. Open your authenticator app on your phone and scan the QR code displayed on screen. If you cannot scan the QR code, click Show manual entry key and type the secret key into your app.

  5. Enter the six-digit code from your authenticator app into the verification field on screen.

  6. Click Confirm to complete enrollment.

What to expect

After successful enrollment, your authenticator app will appear in your MFA Devices list with a green checkmark. From now on, you will be prompted to enter a code from this app each time you sign in.

Save your backup codes

After enrolling your first MFA device, you will be offered a set of one-time backup codes. Save these codes in a secure location (such as a password manager). Each code can only be used once and will allow you to sign in if you lose access to your MFA device.

Option 2: iPhone or Android Passkey (Face ID / Touch ID)

If you have an iPhone (iOS 16+) or Android phone (14+), you can use your phone's biometric sensor as your MFA device. No extra app is required — this uses the passkey feature built into your phone.

This is the fastest and most user-friendly option for most people. One Face ID glance replaces typing a 6-digit code.

Requirements

  • iPhone with iOS 16 or later, or Android phone with version 14 or later
  • iCloud Keychain enabled on iPhone (Settings → your name → iCloud → Passwords and Keychain → on), or Google Password Manager on Android
  • A modern browser (Safari, Chrome, Edge, or Firefox — latest version)

Enrollment Steps

  1. Sign in to your account at https://auth.synderys.com. You can do this on a computer or directly on your phone.

  2. Click your profile icon in the top-right corner and select Settings.

  3. Navigate to the MFA Devices section and click Enroll Security Key.

  4. Your browser will ask where to create the passkey:

    • On a Mac (signed in to the same iCloud account as your iPhone): choose iPhone, iPad, or Android device → a QR code appears → open your iPhone camera and scan it → your iPhone prompts for Face ID → approve.
    • Directly on your iPhone or Android: the Face ID / Touch ID / fingerprint prompt appears immediately → authenticate with your biometric → done.

  5. Give the passkey a descriptive name such as "My iPhone" or "Pixel 8".

  6. Click Save to complete enrollment.

What to expect

From now on, when you sign in to any Synderys app (GitLab, RocketChat, VPN), you will be prompted for Face ID or Touch ID after entering your password — just look at your phone and you're in. Because iCloud Keychain syncs your passkey across your Apple devices, the same passkey also works on your iPad or Mac.

Bonus: passwordless sign-in

Once your iPhone passkey is enrolled, you can skip the password entirely by clicking Sign in with security key on the login page (the button sits right next to the username field). See Passwordless Sign-In for details.

Option 3: Hardware Security Key (YubiKey)

Hardware security keys provide the strongest level of authentication and are required for administrative accounts.

Enrollment Steps

  1. Sign in to your account at https://auth.synderys.com.

  2. Click your profile icon in the top-right corner and select Settings.

  3. Navigate to the MFA Devices section and click Enroll Security Key.

  4. When your browser displays the security key prompt, insert your security key into a USB port and touch the sensor when the light blinks.

  5. Give your key a descriptive name (for example, "YubiKey - Blue" or "Backup Key - Desk Drawer") so you can identify it later.

  6. Click Save to complete enrollment.

What to expect

Your security key will appear in the MFA Devices list. When signing in, you will have the option to use either your authenticator app or your security key for the MFA step. If you enable discoverable credentials during enrollment, you can also use passwordless sign-in — a Sign in with security key button will appear directly on the login screen.

Adding Backup Methods

We strongly recommend enrolling at least two MFA methods — for example, one authenticator app and one security key. This ensures you can still sign in if one device is lost or unavailable.

To add a second method:

  1. Return to Settings and open the MFA Devices section.
  2. Click the enrollment button for the method you want to add.
  3. Follow the enrollment steps listed above for that method type.

Your account can have multiple authenticator apps and multiple security keys enrolled simultaneously.

Troubleshooting FAQ

Q: My authenticator app shows a code but it is rejected during sign-in. : TOTP codes change every 30 seconds and are sensitive to clock drift. Ensure your phone's date and time are set to automatic. If codes continue to fail, remove the Synderys entry from your app and re-enroll.

Q: My security key is not detected during enrollment. : Try a different USB port. Ensure your browser supports WebAuthn (Chrome, Firefox, Edge, or Safari — latest version). If using a USB-C key on a USB-A port, use the appropriate adapter.

Q: I did not save my backup codes. Can I get new ones? : Yes. Go to Settings, open MFA Devices, and click Regenerate Backup Codes. Your old codes will be invalidated immediately.

Q: Can I remove an old MFA device? : Yes, but you must have at least one active MFA method enrolled at all times. To remove a device, go to Settings, find the device in the MFA Devices list, and click Remove.

Q: I enrolled a security key but the passwordless option does not work. : Passwordless sign-in requires your key to be enrolled with discoverable credentials enabled. Remove the key and re-enroll it, making sure to check the "Enable passwordless" option during enrollment.

Q: The Face ID prompt does not appear when I try to enroll my iPhone as a passkey. : Verify that iCloud Keychain is enabled (Settings → your name → iCloud → Passwords and Keychain → on). You must be using Safari on macOS, or any modern browser (Safari, Chrome, Edge) on your iPhone. Very old browsers do not support passkeys.

Q: I enrolled a passkey on my iPhone but it does not appear on my Mac. : Passkeys sync through iCloud Keychain. Ensure both devices are signed in to the same Apple ID and iCloud Keychain is enabled on both. Sync can take a few minutes after enrollment.

Q: "No matching credential found" appears when I try to sign in with my passkey. : Use one of your backup codes to sign in, then go to Settings → MFA Devices, remove the old passkey, and re-enroll it. This typically happens if iCloud Keychain is disabled or the passkey was deleted from the device.