MFA & step-up re-auth

Multi-factor authentication is mandatory for every Sukrit Nidhi user. On top of regular MFA, a small set of high-risk actions also require step-up re-authentication — proving you’re still the person holding that authenticator, right now.

Enrolling TOTP

TOTP (Time-based One-Time Password) is the RFC-6238 standard implemented by Google Authenticator, 1Password, Authy, Microsoft Authenticator, and most other authenticator apps. Enrolment flow:

  1. Sign in (first time after invitation — the page opens automatically).
  2. A QR code is shown. Open your authenticator app and scan it.
  3. The app shows a 6-digit code that rolls every 30 seconds.
  4. Type that code into the confirmation field to prove the enrolment worked.
  5. Sukrit Nidhi shows your recovery codes — ten single-use codes. Save them somewhere that is not your phone (password manager, printed and in a locked drawer, etc.).

Recovery codes

  • Each code works exactly once.
  • Use one at the MFA prompt instead of a TOTP code.
  • When you’re down to two unused codes Sukrit Nidhi will prompt you to regenerate a fresh batch.
  • Regenerating invalidates the old batch immediately.

Changing authenticator (new phone)

  1. While still signed in on your old phone, go to Profile → Security.
  2. Click Reset MFA. You will be asked for your current TOTP code to authorise the reset.
  3. Scan the new QR with the new phone’s authenticator app.
  4. Confirm with the new code.

If you’ve already lost the old phone, sign in with a recovery code first, then follow the same steps.

When step-up fires

Sukrit Nidhi re-challenges you for an MFA code when you attempt any of:

  • Voiding a POSTED donation or expense.
  • Locking a period.
  • Unlocking a period (plus a reason is mandatory).
  • Building an audit bundle.
  • Granting or extending an auditor scope.
  • Changing your own password.
  • Resetting your MFA enrolment.

A successful step-up establishes a short-lived elevated session of five minutes during which you don’t need to re-challenge again for the same action type. After five minutes you’ll be asked once more.

Step-up is in addition to your normal MFA at sign-in, not a replacement for it. It exists so that someone who grabs your unlocked laptop cannot simply click “unlock period” without also holding your phone.

Losing access

If you lose your phone and all your recovery codes:

  1. Contact your Platform Admin.
  2. They reset your MFA enrolment from the Users & Roles page. This itself requires step-up, so the Platform Admin’s own phone is the last line of defence.
  3. The Super Admin sends you a one-time re-enrolment link.
  4. You click the link, pick a password (because the reset also rolls your password), and scan a fresh QR code.

Every step is audit-logged: the reset event, who performed it, and the subsequent re-enrolment. This is deliberately noisy so that an attempted social-engineering attack (“I’m locked out, can you reset me?”) leaves a clear record.