Setting up Multi-factor Authentication
Multi-factor Authentication (MFA) adds a second verification step to your sign-in. SALT supports authenticator apps as the primary factor and SMS as a backup. You'll get 10 backup codes — save them somewhere safe before you need them.
In short: Open your account security settings, scan the QR code with an authenticator app, and save your 10 backup codes immediately — they’re only shown once.
Why turn on MFA
Multi-factor Authentication protects your account against password compromises. Even if someone gets your password, they can’t sign in without the second factor.
Insurance agencies handle sensitive PII (Insureds’ names, contact info, license numbers, dates of birth). Account compromises can be costly. MFA is the single biggest security upgrade you can make in 30 seconds.
Set up MFA with an authenticator app
This is the recommended path — more secure than SMS, doesn’t require cell signal, works internationally.
-
1
Open your account security settings.
-
2
Find the Multi-factor Authentication section and start the setup flow.
-
3
SALT shows a QR code.
-
4
Open your authenticator app (Authy, Google Authenticator, 1Password, Microsoft Authenticator — any TOTP-compatible app).
-
5
Scan the QR code with the app. The app starts generating 6-digit codes that rotate every 30 seconds.
-
6
Enter the current 6-digit code into SALT to verify the setup worked.
-
7
SALT confirms MFA is enabled and shows you 10 one-time backup codes.
Save your backup codes — only shown once
The 10 backup codes are shown to you exactly once. SALT does not show them again. Save them somewhere safe before leaving the page — a password manager, a secure note, a printed copy in a locked drawer.
Backup codes get you back in if you lose access to your authenticator app (broken phone, deleted app, locked out). Each code works exactly once.
If you’ve left the page without saving them, regenerate a new set from your security settings — but doing so invalidates the previous codes.
Add SMS as a backup factor
SMS is less secure than an authenticator app (carriers can be socially engineered, SIM swap attacks are real) but useful as a fallback. To add it:
-
1
From your security settings, set up SMS backup.
-
2
Provide your phone number; SALT verifies it via OTP.
-
3
After confirmation, SMS is enabled as a second factor.
You’ll then have authenticator app + SMS + backup codes.
What happens at sign-in
After setup, every sign-in:
- You enter username and password
- SALT prompts for the second factor — a 6-digit code
- You enter the code from your authenticator app (or SMS, or a backup code)
- You’re in
Codes are short-lived (30-second rotation for authenticator apps). Backup codes are single-use.
What if you lose your authenticator app?
If you can’t generate codes:
- Try a backup code — each works once
- Try SMS — if you set it up
- Contact support — they can help with account recovery if all factors are lost
Without backup codes or SMS and without your authenticator app, recovery is harder. Save those codes.
Why every team member should turn it on
A breach of one user’s account exposes the data they can access — which, for most users, is the full Submission database. MFA on the whole team raises the bar dramatically.
Some agencies require MFA as a policy. SALT may also enforce MFA in some configurations.
Common questions
Can I disable MFA after enabling? Yes — from your security settings. You’ll be prompted to confirm via your current second factor before disabling.
Will SALT lock me out if I get the code wrong a few times? Repeated failures may trigger a temporary lockout for security. Contact support if you’re locked out.
Can my agency’s admin force MFA on everyone? Some configurations support enforced MFA agency-wide. Contact support to discuss.
What if my phone is in a different country and SMS doesn’t reach? Authenticator apps are network-independent — they generate codes offline. Use an app over SMS for international travel.