Two factor authentication 2FA
Two-factor authentication (2FA) is an optional extra layer on your 1pm sign-in. With it on, signing in needs your password plus a six-digit code from an authenticator app on your phone. If someone ever got hold of your password, they still couldn't sign in without your phone. This article covers what 2FA is in 1pm, how to turn it on, the recovery codes that keep you out of trouble if you lose your phone, and the one situation where 2FA cannot be turned off until you tidy something up first.
You do not have to enable 2FA. The free trial and paid subscription both work without it. It is a tool for planners who want a stronger lock on the door, particularly if their account holds client briefings, supplier contracts, or anything else they would rather not have leak.
How it works
You use a standard TOTP authenticator app on your phone. Any of the common ones work: Google Authenticator, Microsoft Authenticator, Authy, 1Password, Bitwarden, the password manager built into iCloud Keychain. 1pm does not send codes by SMS or email. SMS-based 2FA has known weaknesses (SIM-swap attacks), and we would rather not push you toward a method that gives a false sense of security.
The authenticator app generates a fresh six-digit code every 30 seconds based on a secret key you scanned in once at setup. That secret never leaves your phone. 1pm independently calculates what the code should be at sign-in time and checks yours against it. Nothing is transmitted from your phone to ours during sign-in beyond the code you type.
Turning it on
Sign in to 1pm and open Account from the top navigation (the Billing page). Scroll to Security and click Manage two-factor authentication. You land on the 2FA overview, which shows the current status (Off by default) and a button to enable it.
Click Enable two-factor authentication. The setup screen shows:
A QR code. Open your authenticator app, tap Add account, and scan the code. The app reads the secret and starts generating codes.
A manual setup key in case your authenticator app does not have a camera (some desktop ones don't), or you would rather type the secret in.
A verification field. Once your authenticator app is showing codes for 1pm, type the current six-digit code into this field and click Verify.
If the code is correct, 2FA flips to On and you are taken to a Recovery codes page. Save those codes (see the next section). If the code is wrong, you typed it after it rolled over, or the time on your phone is out of sync. Try the next code, or fix your phone's time settings.
Recovery codes
When you turn on 2FA, 1pm shows you ten one-time-use recovery codes. These are your way back in if you ever lose your phone, get a new phone without migrating the authenticator app, or otherwise can't get a code from the app.
Each recovery code works once. After you use one to sign in, it's spent. The remaining nine still work. When you're running low, you can generate a fresh set from the same Security page, which voids any unused codes from the previous set.
Print them, screenshot them into a password manager, write them on a card in your wallet. The one place not to keep them is on the same phone that holds your authenticator app, because if you lose that phone you lose both.
There is no other way to recover the account if you lose both your password and your second factor. The support inbox cannot generate a new code for you. The recovery codes exist because we cannot, by design, bypass 2FA from our side.
Signing in with 2FA on
The sign-in flow changes slightly. You enter your email and password as normal. Instead of landing on the dashboard, you land on a Two-factor authentication page asking for the current code from your authenticator app. Type it, click Sign in, and you're through.
A "Remember this machine" checkbox skips the 2FA prompt for a week on that browser. Use it on your own laptop. Don't use it on a shared computer.
If your authenticator app isn't to hand and you have recovery codes saved, click "Sign in with a recovery code" instead. Paste one of the codes, click Sign in. That code is now used up.
Turning it off
You can turn 2FA off at any time from the same Security page, with one exception (covered below). Click Disable two-factor authentication. The form asks for your password as a confirmation, then disables 2FA and clears the secret. If you re-enable later, you scan a fresh QR code with a fresh secret. Old recovery codes are discarded.
Worth noting: turning 2FA off does not sign anyone out. If a session is already open on your phone or laptop, it stays open. If you're worried that a session might be compromised, change your password from the Profile page, which signs out other sessions.
When you cannot turn 2FA off
There is one situation where the Disable button is locked: you have active document upload requests out to your crew.
Document requests (the kind that ask crew to upload a certificate, an insurance policy, an ID photo, a license) carry sensitive files. The system rule is that an account with document uploads in flight must keep 2FA on, because those uploads sit behind your login. If 2FA could be disabled while document uploads exist, an attacker with your password could quietly fetch them.
If you want to turn 2FA off and the form is blocked, you have two options. Wait until the document requests are complete and you've deleted them from the planner. Or delete the requests now (which removes the uploads too). The crew request kinds that do not lock 2FA are the non-upload ones: text answers, choice questions. Only upload requests trigger the lock.
Conversely, creating a new document upload request requires 2FA to be on first. If you try to add an upload-kind request and you don't have 2FA enabled, 1pm sends you to the 2FA setup page with a short explanation.
Common situations
I got a new phone.
If you still have the old phone, open the authenticator app on it, scan the QR code from a new setup, and you're across in a minute. If you've already wiped or lost the old phone but kept your recovery codes, sign in with a recovery code, go to the 2FA page, and re-enable 2FA to get a fresh secret onto your new phone.
I lost my phone and my recovery codes.
Email [email protected] from the address on your 1pm account. We can verify your identity and reset 2FA. This takes a human to do; allow a business day or two. It's deliberately not self-service: a "support resets it for you" flow that's too easy defeats the point of having 2FA in the first place.
The code keeps failing.
Almost always a clock-skew problem. Open your phone's date/time settings and switch on "Set automatically". The authenticator app needs the phone's clock to match server time within about 30 seconds. After fixing the clock, try a fresh code.
Authy / Google Authenticator / Microsoft Authenticator — which should I use?
Any of them work. They all generate the same kind of code from the same kind of secret. If you don't have a preference and you don't already use a password manager that includes TOTP, Google Authenticator and Microsoft Authenticator are both straightforward, free, and on both app stores. If you do use a password manager (1Password, Bitwarden, iCloud Keychain), keeping the 2FA codes in there alongside your passwords is usually more convenient.
A note on what 2FA does and doesn't protect
2FA protects the sign-in. Someone with your password but not your phone cannot sign in to your account, full stop.
2FA does not protect already-issued share links. A per-crew run-of-show link or the public runsheet link is a tokenised URL; anyone with the URL can open it without signing in. That is by design — your crew need to open their link without a password. If a link is exposed and you want it killed, the planner has a Revoke option on each share link inside the event.
2FA does not encrypt the data in your account. Files you upload, briefings you write, and crew details you save are stored on 1pm's servers regardless of whether 2FA is on. 2FA is one of the locks on the door, not a vault for the contents.
