Skip to content

Two-factor authentication

Two-factor authentication (2FA) adds a second step to sign-in, so your account stays safe even if your password is stolen. Villva ERP uses the 6-digit codes from an authenticator app (a free app on your phone). There is no SMS or phone-number option anywhere.

Any standard authenticator app, such as Google Authenticator, Authy or 1Password.

  1. Open Account & security from your profile and choose to enable two-factor authentication.
  2. Scan the QR code with your authenticator app. Can’t scan? Type in the setup key shown alongside it instead.
  3. Your app starts generating a 6-digit code that changes every 30 seconds.
  4. Enter the current code to confirm, setup only completes once you enter a valid code, which proves your app is set up correctly.
  5. Villva shows your backup codes. Save them before continuing, see Backup codes.

After setup, the code-generating key is never shown again. Only you can set up 2FA for your own account.

After your email and password, you’ll be asked for the 6-digit code from your app. A wrong or expired code is rejected with a clear message, just enter the current one. If you can’t reach your app, use a backup code instead.

Your Org Admin (or Villva) may enforce 2FA for everyone. If that’s on and you haven’t set it up yet, your next sign-in takes you straight to the setup screen, and you can’t reach the app until you finish. The login screen makes clear whether it’s asking you to enter a code or to set 2FA up.

New organisations start with enforcement off. Turning enforcement off later does not remove 2FA from people who already set it up.

You can disable 2FA from the same screen, but you must enter a current code to do it. If your organisation enforces 2FA, you won’t be able to turn it off.

Extra confirmation for sensitive actions (step-up)

Section titled “Extra confirmation for sensitive actions (step-up)”

Some especially sensitive actions ask you to re-enter a fresh authenticator code even though you are already signed in, for example changing where payments are routed, exporting all of your data, deactivating many users at once, or granting someone an admin role.

  • You confirm by typing a current code from your authenticator app.
  • A successful confirmation opens a short 5-minute window to complete that one action. It only covers that specific action, you’ll be asked again for a different sensitive action.
  • If you get the code wrong, you are not signed out; you simply can’t complete that action until you confirm.
  • This applies to everyone, including admins. External customer-portal users are never asked for it.

An Org Admin can turn 2FA enforcement on or off for the whole organisation (Villva can do this for any organisation). Non-admins can’t change the setting. When you switch it on, anyone without 2FA is guided through setup on their next sign-in. Every change records who made it and when. See also Users & roles.