Multi-factor Authentication for Backstage

Registering for Multi-factor Authentication

This article explains how you can set up multi-factor authentication for your Backstage user account

What is multi-factor authentication?

Multi-factor authentication (MFA) means you need more than one piece of secret information to access your account. The point of having multiple factors is to reduce the risk of an unauthorized person getting access to your user account and personal data.

The first factor is your password, which you can provide by typing it in (or using a password manager). The additional factors are secrets which can only be provided by different means, thus reducing the risk of accidentally losing or disclosing them. The most commonly used additional factor is a mobile device which stores the secret information and allows you to prove that you possess it (e.g. by generating a short one-time password which you can type in). By having this additional factor, the risk of your account being compromised is significantly reduced as an attacker would need to know your password as well as have access to your unlocked mobile device.

In some cases, the additional factors may be pieces of information that are intrinsic to your network connection or internet client (e.g. IP address, device profile).

It is a good and widely used practice to secure your user account with a second authentication factor, and is far superior to just having a strong password. We highly recommend that you opt in for multi-factor authentication in Backstage.


If you opted in for MFA, this choice will only affect systems that sign you in via (e.g. Backstage). You can sign in with the same username and password on other sites (such as, but these sites will not necessarily use the SSO site and will therefore not enforce multi-factor authentication. We are working on bringing these sites under so that they can all support this feature.

MFA in Backstage

After entering your username and password, provided you haven't previously selected “Opt out”, you will be prompted to select your preferred authentication method.

The following options are available:

  • Skip: An MFA method will not be registered now, but you will be prompted again on your next login.
  • Opt out: An MFA method will not be registered now, and you will not be asked again (you can reset this on the profile settings page). This choice is not recommended.
  • WebAuthn: Hardware token (e.g. YubiKey) or biometric (e.g. Touch ID) authentication in your browser. Please note that WebAuthn is only supported in the latest versions of Chrome, Firefox, Safari and Edge. Read more
  • Push Auth: Push message based authentication with a mobile device; requires the ForgeRock Authenticator app (iOS or Android)
  • One-time Password: a single-use, 6-digit, limited lifetime password generated by a mobile device. Usable with the ForgeRock or the Google Authenticator app, available in the App Store and the Google Play Store. Read more

See the below sections for detailed instructions on how to register each multi-factor method. After the initial setup of an MFA device, Backstage will save it to your user profile. The next time you log in, you will be automatically asked to provide the previously registered MFA credentials.


Each MFA method generates single-use recovery codes which can be used to access your account in case you are unable to authenticate with your chosen second factor. It's extremely important that you write these codes down and store them in a safe place, otherwise you may lose access to your account.

Registering a push authentication device

Follow these steps once you have downloaded the ForgeRock Authenticator app from your device's app store:

  1. Select “Push Auth” from the list of options.
  2. Your browser will prompt you to use your chosen device to scan a QR code.
  1. Open the ForgeRock app on your device and select the plus sign in the top left corner to scan the barcode displayed in your browser.
  2. After scanning the QR code, your device will be registered and will appear in the app, under “My accounts”.
  1. To test that registration was successful, a push notification will be sent to your app. You will be given the option to click “Accept” or “Reject”. Select “Accept” to continue the registration process.
  1. To complete registration, a page will be displayed prompting you to write down your recovery codes.

Registering a one-time password (OATH) device

After you have downloaded the ForgeRock app or another compatible authenticator app, such as the Google Authenticator, follow these steps:

  1. Select “One-time Password” from the list of options.
  2. Your browser will prompt you to use your chosen device to scan a QR code.
  1. Open your chosen app and add a new device. In the ForgeRock app, this can be done by pressing the plus icon in the top left corner.
  2. After scanning the QR code, your device will be registered and will appear in the app under “My accounts”.
  1. You will then be prompted in your browser to enter the one time password code from the app to confirm that registration was successful. In the ForgeRock app, this can be done by selecting the relevant item in the list under “My accounts” and entering the code displayed into the input field in your browser.
  1. If the one time password was entered correctly, then a page will be displayed, prompting you to write down your recovery codes.

Registering a WebAuthn device

If you have access to a hardware token or a device that supports biometric authentication, then it's possible to use WebAuthn to protect your account:

  1. Select “WebAuthn” from the list of options
  2. Your browser will prompt you to insert your hardware token. If your device running your browser supports biometric authentication, then you'll be given that option too. Please note that the pop-up window will appear differently depending on which browser you are using. The example below is using Google Chrome.
  1. If registration between the browser and the token or biometric scanner was successful, then a page will be displayed, prompting you to write down your recovery codes.

Updating Multi-factor Authentication Settings

This article explains how to update existing MFA settings for your Backstage user account

Changing your MFA device settings

If you have lost your hardware token or have a new phone, it may be the case that you need to update your MFA settings. You can always delete a device by going to the authentication settings page in Backstage, and clicking the pencil icon for the device you want to update. This requires that you still have access to your Backstage account either via recovery codes or an additional MFA device. If you don't have access to your account please see: Backstage Account Recovery.

From here you have to option to change the settings for each device:

  • Change the name of the device.
  • Remove the device from your Backstage profile. Removing an MFA device requires you to re-enter your password. The selected device will be removed from your account and if this is your only device registered you will be asked to set up a new MFA device on your next login.

Generating new recovery codes

If you have used all of your recovery codes, lost them, or they were stolen, you should generate new ones on this page. Click the circular arrow button. This will replace any existing codes with 10 new ones.

Adding more devices

Backstage supports registering multiple MFA devices per profile. To register another device, first log in to backstage and navigate to the authentication settings page. Here at the bottom of the page you will see a description of each available MFA method with a button to register. Clicking the “Register” button for the method of your choice will prompt you to set up a new device. Simply follow the steps, and you'll be returned to the authentication settings page once complete. Please note that whilst we support multiple WebAuthn devices per Backstage profile, we only support one one-time password device and one push authentication device per profile. Additionally, if you previously opted out and wish to opt in now, you can do so by following the aforementioned steps.


We strongly recommend registering more than one device so that if something happens to one of the devices you're not locked out of your account.

Backstage Account Recovery

This article explains how you can recover your Backstage account if you have lost access

What happens if I've forgotten my username or password?

If you can't log in to Backstage because you've forgotten your username you can simply use the email address you gave when you registered in its place. If you've forgotten your password, you can reset it by following the instructions outlined in this article How to reset your Backstage account password.

What happens if my registered MFA device is preventing me from logging in?

If you opted in for MFA and have successfully entered your username and password but cannot log in because the authentication flow is waiting for confirmation or a one-time password from your registered multi-factor device, try the following:

  • Choose “Use recovery code” on the MFA login page and enter an unused recovery code. Recovery codes are one-time passwords. This list of 10 codes were given to you at registration to write down in the event you're locked out of your account.

If you had to use a recovery code, you should reset your MFA device as described in Updating multi-factor authentication settings.


WebAuthn is a new technology and not all browsers support it yet. Note that as with mobile devices, you can only use WebAuthn on the same device where you set it up originally. This is due to the fact that a unique key is stored in on the device which is needed to perform authentication. Unlike other MFA methods, however, WebAuthn happens on the same device where you're logging in via your browser, and is therefore less portable than the other supported methods. If you wish to log in on more than one computer, please register WebAuthn for each device.

What happens if I lost my recovery codes?

Alternative recovery method

If you have lost your device as well as your recovery codes, you can still regain access to your account by selecting “Use alternative method” after failing to provide your MFA credentials:

In order to verify your identity, you will receive two separate One Time Passwords: one as a text message to your phone number and a second one to your email address. You will need to enter both correctly in order to unlock your account. For this alternative method to work, your account needs to have a valid phone number (it has to start with the country code). If you cannot receive either the text message or the email, you will not be able to log in with this method.

We will regularly ask you to update your phone number and email address to make sure that the alternative recovery method is available, should you need it.

Manual verification

If you are unable to use the alternative recovery method, as a last resort, we may be able to verify your identity manually. You can request this by sending a picture of your government issued valid photo ID (e.g. passport, driver's license or national ID card) to We will verify that

  • The first and last name(s) in your document matches those in the account;
  • The request was sent from the email address registered with the account;
  • If your avatar picture associated with your email address is of a human face, it matches the photo on the ID

If all the above checks pass, your existing MFA device settings will be deleted, and you will be able to log in with your username and password. You will also be prompted to set up a new MFA device. Please make sure to print your recovery codes and keep them in a safe place.


Your ID document is sensitive data. To protect your privacy, we will destroy all copies of the picture you sent once the case is closed. Beware of phishing attempts! Make sure to only send your ID documents to . If you receive a suspicious email, please let us know immediately on this address.

Creating a new account

If it's not possible to provide a government issued valid photo ID or you would prefer not to for security/privacy reasons then an alternative option is to create a new account. A new Backstage account can be created by following this link and filling out the required details.

FAQ: Multi-factor Authentication

Answers to frequently asked questions on Backstage MFA

Frequently asked questions

Q. How can I recover my account that is secured by multi-factor authentication?

If you've lost access to your account due to multi-factor authentication, please follow the instructions outlined in this article to regain access Backstage Account Recovery.

Q. Can ForgeRock remove the multi-factor device from my account?

No, it's not possible for a ForgeRock employee to remove the multi-factor device from your account until all the steps in Backstage Account Recovery have been completed.

Q. I’ve recently lost/changed the phone that I registered as my multi-factor authentication device. How can I register a new one?

Please follow these steps to register a new device:

  1. First, you need to gain access to your account through a recovery method. Detailed steps for this process can be found in this article Backstage Account Recovery.
  2. Navigate to the authentication settings page.
  3. On the list of devices, find the device you wish to remove.
  4. Click the pencil icon to enable editing.
  5. Click the trash can icon to remove it.
  6. You'll be asked to enter your password.
  7. On the same page, scroll down to the bottom and select a new multi-factor method to register.

More details can be found here: Updating multi-factor authentication settings

Q. Why am I not receiving an SMS message when attempting to recover my account via the alternative method?

The SMS message is sent to the phone number associated with your Backstage account and there could be a few different reasons why it's not being received:

  • The number could be a landline. The SMS service relies on the recipients' ability to handle SMS messages.
  • You no longer have access to the supplied number.
  • The country code could be missing from the start of the number.
  • Some mobile carriers occasionally reject messages from our SMS provider.

In this situation please contact for help.

Q. How do I get my recovery codes?

When you registered your device, you were shown a set of 10 recovery codes to write down and keep in case you get locked out of your account. ForgeRock will never send recovery codes to a Backstage user via email or any other way. If you have access to your account, it is possible to generate new recovery codes if you've lost them by going to your Backstage profile.

Q. How can I reduce the risk of being locked out of my account protected by multi-factor authentication?

Here are some helpful tips to reduce the risk of getting locked out of your Backstage account:

  • When registering a device, always write down recovery codes and store them in a safe place.
  • Registering multiple devices so that if you lose one device you have another to fall back to.
  • During the recovery process, it's possible that you'll have to rely on the phone number and email address that are associated with your Backstage account, so make sure that they are both up-to-date and correct.

Q. How do I get past the “waiting for a response” page when authenticating?

This page is shown during the authentication flow after successfully entering your username and password. It indicates that the page is waiting for you to accept the push notification that has been sent to the ForgeRock app on the device that you registered during MFA setup. If you no longer have the ForgeRock app, the account is missing under “My accounts”, or you don't remember setting up push authentication, please follow the steps outlined in these articles to gain access to your account and remove the device:

Copyright and Trademarks Copyright © 2021 ForgeRock, all rights reserved.

This content has been optimized for printing.