Backstage Help

Registering for Multi-factor Authentication

Last updated Apr 19, 2022

This article explains how you can set up multi-factor authentication for your Backstage user account

9 readers recommend this article

What is multi-factor authentication?

Multi-factor authentication (MFA) means you need more than one piece of secret information to access your account. The point of having multiple factors is to reduce the risk of an unauthorized person getting access to your user account and personal data.

The first factor is your password, which you can provide by typing it in (or using a password manager). The additional factors are secrets which can only be provided by different means, thus reducing the risk of accidentally losing or disclosing them. The most commonly used additional factor is a mobile device which stores the secret information and allows you to prove that you possess it (e.g. by generating a short one-time password which you can type in). By having this additional factor, the risk of your account being compromised is significantly reduced as an attacker would need to know your password as well as have access to your unlocked mobile device.

In some cases, the additional factors may be pieces of information that are intrinsic to your network connection or internet client (e.g. IP address, device profile).

It is a good and widely used practice to secure your user account with a second authentication factor, and is far superior to just having a strong password. We highly recommend that you opt in for multi-factor authentication in Backstage.


If you opted in for MFA, this choice will only affect systems that sign you in via (e.g. Backstage). You can sign in with the same username and password on other sites (such as, but these sites will not necessarily use the SSO site and will therefore not enforce multi-factor authentication. We are working on bringing these sites under so that they can all support this feature.

MFA in Backstage

After entering your username and password, provided you haven't previously selected “Opt out”, you will be prompted to select your preferred authentication method.

The following options are available:

  • Skip: An MFA method will not be registered now, but you will be prompted again on your next login.
  • Opt out: An MFA method will not be registered now, and you will not be asked again (you can reset this on the profile settings page). This choice is not recommended.
  • WebAuthn: Hardware token (e.g. YubiKey) or biometric (e.g. Touch ID) authentication in your browser. Please note that WebAuthn is only supported in the latest versions of Chrome, Firefox, Safari and Edge. Read more
  • Push Auth: Push message based authentication with a mobile device; requires the ForgeRock Authenticator app (iOS or Android)
  • One-time Password: a single-use, 6-digit, limited lifetime password generated by a mobile device. Usable with the ForgeRock or the Google Authenticator app, available in the App Store and the Google Play Store. Read more

See the below sections for detailed instructions on how to register each multi-factor method. After the initial setup of an MFA device, Backstage will save it to your user profile. The next time you log in, you will be automatically asked to provide the previously registered MFA credentials.


Each MFA method generates single-use recovery codes which can be used to access your account in case you are unable to authenticate with your chosen second factor. It's extremely important that you write these codes down and store them in a safe place, otherwise you may lose access to your account.

Registering a push authentication device

Follow these steps once you have downloaded the ForgeRock Authenticator app from your device's app store:

  1. Select “Push Auth” from the list of options.
  2. Your browser will prompt you to use your chosen device to scan a QR code.
  1. Open the ForgeRock app on your device and select the plus sign in the top left corner to scan the barcode displayed in your browser.
  2. After scanning the QR code, your device will be registered and will appear in the app, under “Accounts”.
  1. A page will be displayed prompting you to write down your recovery codes.
  2. To test that registration was successful, a push notification will be sent to your app. You will be given the option to click “Accept” or “Reject”. Select “Accept” to continue the registration process.

Registering a one-time password (OATH) device

After you have downloaded the ForgeRock app or another compatible authenticator app, such as the Google Authenticator, follow these steps:

  1. Select “One-time Password” from the list of options.
  2. Your browser will prompt you to use your chosen device to scan a QR code.
  1. Open your chosen app and add a new device. In the ForgeRock app, this can be done by pressing the plus icon in the bottom right corner.
  2. After scanning the QR code, your device will be registered and will appear in the app under “Accounts”.
  1. Click “Next” in your browser and a screen will be displayed with a list of 10 codes. It's important that you keep these codes in a safe place as they will allow you to recover your account if you lose your device.
  2. On the next page you will be prompted to enter the one time password code from the app to confirm that registration was successful. In the ForgeRock app, this can be done by selecting the relevant item in the list under “Accounts” and entering the code displayed into the input field in your browser.
  3. If the one time password was entered correctly, then registration will complete and your account will be protected.

Registering a WebAuthn device

If you have access to a hardware token or a device that supports biometric authentication, then it's possible to use WebAuthn to protect your account:

  1. Select “WebAuthn” from the list of options
  2. Your browser will prompt you to insert your hardware token. If your device running your browser supports biometric authentication, then you'll be given that option too. Please note that the pop-up window will appear differently depending on which browser you are using. The example below is using Google Chrome.
  1. If registration between the browser and the token or biometric scanner was successful, then a page will be displayed, prompting you to write down your recovery codes.

Copyright and Trademarks Copyright © 2022 ForgeRock, all rights reserved.