Two-factor authentication (2FA) is a dual security method to authenticate users. The Cybersecurity & Infrastructure Security Agency (CISA) recommends enabling 2FA to protect your account in case your login credentials are compromised. This article goes over the 2FA settings and how to reset 2FA if needed.
NOTICE - Effictive May 20th, 2026, 2FA is mandatory for all Nebula users. This extra layer of security helps keep accounts safe from unauthorized access, credential-based attacks, account takeover, data exposure, and other security incidents by requiring an additional verification step before access is granted.
A mobile device with a camera and an authenticator app installed is needed to set up 2FA. Supported authenticator apps:
- Google Authenticator
- Authy
- 1Password
- Microsoft Authenticator
- Okta Verify
- Duo Mobile
- LastPass Authenticator
2FA Recovery code
Super Admins can enable a global setting that allows users to authenticate with a recovery code sent by email. However, this setting must be enabled and configured prior to the need to use a recovery code.
A recovery code is useful in cases where a mobile device has been lost or replaced. Keep in mind that enabling this setting may pose a security risk, as it allows a threat actor to bypass 2FA in case of an email account's compromise.
To enable this feature, a Super Admin must:
- Go to Configure > Users.
- Click the Two-factor authentication button.
- Toggle on Allow the recovery code to be sent via email.
Set recovery email address
After enabling the feature, each user with 2FA enabled is required to provide a recovery email address that belongs to a different domain than their Nebula login email. This extra step is designed to provide an additional layer of security in case their login email is ever compromised.
Users are prompted to set a recovery address when logging in. If they didn't configure it during login or want to change it, they can manually set or update the recovery email address from the user profile menu. For more information, see 2FA recovery email.
Request a recovery code
Once the setting is enabled and a recovery email is added, a user can request a recovery code.
- Go to the Nebula login page.
- Enter a Nebula email address and password.
- Click Try another way.
- Click Send.
- Check the email for the recovery code.
- Enter the recovery code in the verification screen and click Submit.
Reset 2FA
We recommend maintaining at least two Super Admin accounts in Nebula so one can reset 2FA for the other if needed, for example, when a user replaces their mobile device or loses access.
To reset 2FA for another user (Super Admin required):
- Go to Configure > Users.
- Click Reset next to the affected user.
- In the confirmation window, click Reset 2FA.
If no other Super Admin is available, contact Support.
To switch authenticator apps while already logged in:
- In the top-right, click your display name > Profile.
- Go the Security tab
- Click Reset Settings.
For other 2FA issues, see Troubleshoot two-factor authentication (2FA) in Nebula.