Skip to main content
Monkey Mind

Two-factor authentication (MFA): what it is and how to set it up

Monkey Mind requires two-factor authentication for admins (and soon providers). This article explains what MFA is, why we use it, how to enroll with any authenticator app, and what to do if you lose your device.

Two-factor authentication (MFA) on Monkey Mind

Monkey Mind uses two-factor authentication — also called MFA or 2FA — to protect accounts that handle sensitive information. This article explains what it is, who needs it, and how to set it up.

What is two-factor authentication?

Two-factor authentication means logging in requires two things instead of one:

  1. Something you know (your password)
  2. Something you have (your phone, via an authenticator app)

Even if someone steals your password, they still can't log into your account without your phone. For accounts that handle mental-health records this is the single biggest defense against credential theft.

Who needs to set it up?

  • Admins — required. You'll be prompted the first time you try to open the admin area. You can't reach admin pages without completing enrollment.
  • Providers (coming soon) — we're rolling MFA out to provider accounts next. You'll receive an email with a date by which you'll need to enroll.
  • Clients — not required today. A voluntary opt-in flow for clients is planned but not available yet.

Why Monkey Mind requires it

Mental-health information is among the most sensitive data a person can share. HIPAA (the US Health Insurance Portability and Accountability Act) expects covered entities to put reasonable safeguards in place for account access — and a single password on an admin or provider account is not considered reasonable on its own. MFA is the industry baseline. We enforce it so that a leaked password, a stolen laptop, or a phished credential doesn't expose patient records.

How to enroll (one-time setup)

Step 1 — Install an authenticator app

Any standard authenticator app works. If you don't already have one, pick any of these (all free):

  • Google Authenticator (iOS, Android) — simplest, offline-only.
  • 1Password (iOS, Android, browser) — if you already use 1Password for passwords, adding MFA there is convenient.
  • Authy (iOS, Android, desktop) — backs up codes across devices.
  • Microsoft Authenticator (iOS, Android).

Any app that supports TOTP (time-based one-time passwords) works. The six-digit codes are a standard format — it doesn't matter which app generates them.

Step 2 — Start enrollment from Monkey Mind

Go to the admin area (or when prompted). You'll see a card titled Set up two-factor authentication with two buttons:

  • Set up MFA now — starts the enrollment.
  • Skip for now — returns you to the dashboard. You'll be prompted again the next time you try to access the admin area.

Click Set up MFA now. The page will show a QR code and a short alphanumeric key.

Step 3 — Scan the QR code

Open your authenticator app. Tap the option to add a new account (usually a + button) and scan the QR code shown on the Monkey Mind page. If you can't scan — for example, if you're on the same phone — you can enter the alphanumeric key manually instead. Either way, the app will immediately start generating a rolling six-digit code.

Step 4 — Enter the six-digit code

Type the current code from your authenticator app into the field on the page and click Verify and enable. If the code is correct, your session upgrades immediately and you're redirected to the admin area. You're done.

Logging in after MFA is enabled

Every time you sign in afterwards:

  1. Enter your email and password as usual.
  2. When you try to open an admin page, Monkey Mind asks for the current six-digit code.
  3. Open your authenticator app, read the code, type it in.

The codes rotate every 30 seconds. If a code expires while you're typing it, just wait for the next one — the app shows a countdown.

Losing your phone or authenticator app

If you lose access to your authenticator (new phone, deleted app, etc.), contact a Monkey Mind administrator. They can remove the MFA factor from your account so you can enroll again with your new device. For security reasons we won't do this over email alone — expect to be asked to confirm your identity through a secondary channel.

If you use Authy or 1Password, your MFA accounts are backed up to the cloud automatically — you can install the app on a new device and your Monkey Mind MFA will be there waiting. Google Authenticator now has optional cloud sync (check app settings); Microsoft Authenticator has it too. Turning that on means you won't get locked out if you lose the phone.

Changing or removing your MFA setup

To switch to a different authenticator app, remove the old setup first (contact an admin if needed), then enroll again with the new app. Disabling MFA entirely is only available to admins with the appropriate permissions and is generally discouraged for admin/provider accounts.

Troubleshooting

  • "Invalid code" even though the app shows the right number — make sure your phone's clock is accurate. TOTP is time-based; if your phone is more than ~30 seconds off the real time, codes won't match. Most phones sync time automatically; double-check the setting.
  • Stuck on "Checking account…" — reload the page. If it keeps hanging for more than 10 seconds, contact support.
  • Enrolled but still being prompted — log out and log back in so your session picks up the new factor status.

Questions

Anything unclear or going wrong during setup? Reach out to support with a brief description of what you're seeing. Screenshots help if you can include one.

Last updated: May 7, 2026