Carousel now supports Multi-Factor Authentication (MFA) and Passkeys to provide stronger account security. This article explains how these features work, how to set them up, and what to expect.
What is MFA?
Multi-Factor Authentication adds a second verification step when you log in. After entering your username and password, you'll be asked to verify your identity using one of the supported MFA methods. This protects your account even if your password is compromised.
What is a Passkey?
A Passkey lets you sign in without entering a password at all. Instead, you authenticate using your device's built-in security — such as a fingerprint, face scan, or PIN. Passkeys are stored on your device and are tied to it.
MFA and Passkeys are separate features. A passkey does not replace MFA. A passkey replaces the password step, while MFA protects the password-based login flow. If your site administrator enables Force MFA, you will need to configure an MFA method regardless of whether you use a passkey.
Supported MFA Methods
Carousel supports two MFA methods:
Method | How it works | Recovery codes? |
|---|---|---|
A 6-digit verification code is sent to your account email address | No | |
Authenticator App | A time-based code generated by an app like Google Authenticator, Authy, or 1Password | Yes (3 codes) |
You can configure multiple methods at the same time. For example, you might use an Authenticator App as your primary method and Email as a backup.
Setting Up MFA
There are three ways MFA setup can happen:
1. From User Settings (when you're already logged in)
Navigate to User Settings > MFA.
Click Add MFA Method.
Choose your preferred method (Email or Authenticator App).
Follow the on-screen instructions to complete setup.
For Email MFA, you'll receive a 6-digit code at your account email. Enter the code to complete setup.
For Authenticator App MFA, you'll be shown a QR code. Scan it with your authenticator app, then enter the 6-digit code the app generates. After setup, you'll be shown 3 recovery codes — save these somewhere safe. They are only displayed once and cannot be retrieved later. Each recovery code can only be used once.
2. During Login (when Force MFA is enabled)
A Carousel Site Administrator may now enforce MFA for all users. If MFA is enforced and you don't have any MFA method configured, you'll be prompted to set one up immediately after entering your password. You won't be able to access Carousel until setup is complete.
You can choose either Email or Authenticator App during this flow.
3. During Account Registration
If Force MFA is enabled, new users accepting an invitation will be asked to configure MFA as part of the account registration process.
Logging In with MFA
Once MFA is configured, here's what to expect when logging in:
Enter your username and password as usual.
You'll be prompted to verify with your configured MFA method.
If you have multiple methods configured, you can choose which one to use.
When using Email-based codes, optionally check "Remember this device" to skip Email-based MFA on this device for the number of days configured by your administrator (default: 30 days).
The "Remember this device" setting is per-browser. Using a different browser or clearing your browser data will require MFA again.
Verification Codes
Codes are valid for 5 minutes. If the code expires, you'll need to restart the login process.
After 5 incorrect attempts, you’ll need to Cancel out and log back in with your username + password to get a fresh code.
Using a Recovery Code
If you've configured an Authenticator App and can't access it, you can enter one of your 3 recovery codes instead of the MFA code during login. Each recovery code can only be used once. When all recovery codes have been used, contact your site administrator to reset your MFA.
Setting Up a Passkey
Passkeys are managed on a dedicated page, separate from MFA settings.
From User Settings
Navigate to User Settings > Passkeys.
Click Add Passkey.
Your browser will prompt you with a biometric or PIN challenge (e.g., Touch ID, Windows Hello, or a security key).
Complete the challenge. Your passkey is now registered.
You can register multiple passkeys for different devices.
Passkey Offer After Login
The first time you log in with a username and password, Carousel will offer to register a passkey for faster future logins. Your browser will show its native passkey dialog (e.g., Windows Hello, Touch ID). You can complete the registration or cancel.
This offer appears only once per browser. After it is shown — whether you complete registration or cancel — it will not appear again unless:
You delete your last passkey (which resets the prompt).
The offer appears only if:
You logged in with a username and password (not via SSO).
You don't already have a passkey registered on any device.
You didn't just complete MFA setup during this login.
Logging In with a Passkey
When you have a passkey registered, you can sign in by completing the biometric or PIN challenge presented by your browser — no password required. If you cancel the passkey prompt, you can fall back to the traditional username/password + MFA login flow.
If your site has SSO configured, the login page will show the SSO option first. To use your passkey, select the "Login with username and password" option — the passkey login button will then be available.
Important Things to Know About Passkeys
Passkeys are device-specific. A passkey registered on your laptop does not automatically work on your phone.
Cross-device authentication is possible in some cases. For example, your browser may display a QR code that you can scan with your phone to authenticate. This behavior is handled by your device's passkey manager (e.g., iCloud Keychain, Google Password Manager, 1Password, Windows Hello) and is outside of Carousel's control.
The passkey experience varies by platform. What you see when registering or using a passkey depends on your operating system, browser, and passkey manager. For example, macOS may prompt for Touch ID, Windows may prompt for Windows Hello, and a password manager like 1Password may present its own dialog. Carousel initiates the process, but the specific user interface is determined by your device.
Passkeys and MFA Setup. Passkeys do not fulfill the MFA setup requirement. If your administrator requires all users to enable MFA, you will still be prompted to set up an MFA method for password-based logins, even if you have a passkey.
Passkeys and MFA Sign-In. Passkeys do fulfill the MFA sign-in requirement. If you have MFA enabled and sign in with a passkey, you will not be prompted for an MFA code — the passkey itself satisfies multi-factor authentication.
New Device Detection
Carousel now detects when you log in from a new or unrecognized device. When this happens, you'll receive an email notification with details about the login, including:
Date and time of the login
Device description (e.g., "Chrome on Windows")
IP address
If you don't recognize the login activity, contact your site administrator immediately.
Losing Access to Your MFA Method
If you lose access to your MFA method (e.g., lost phone, no longer have access to your email):
If you have recovery codes (Authenticator App only): use a recovery code to log in, then configure a new MFA method from User Settings.
If you have another MFA method configured: use your alternate method to log in.
Contact your site administrator: they can reset your MFA configuration, which removes all configured methods and trusted devices. You will then need to set up MFA again on your next login.
Your site administrator can reset your MFA from the Carousel admin interface.
For Site Administrators
Enabling Force MFA
Navigate to Configure → Access → Security Settings to enable or disable Force Multi-Factor Authentication. When enabled:
Users without MFA will be forced to set it up on their next login.
A confirmation dialog will appear when you enable this setting, along with a warning about potential impacts on scripts and automation (see API section below).
Configuring Device Trust Duration
You can configure how many days a device is remembered (default: 30 days) from the same Security Settings page.
Resetting a User's MFA
From the admin users dashboard, you can reset MFA for any user. This removes all of their configured MFA methods and trusted devices.
Resetting a User's Passkeys
From the admin users dashboard, you can reset Passkeys for any user. This removes all of their configured Passkeys.
MFA with SSO (SAML)
When SAML SSO is configured:
SSO Only disabled: Users can choose to log in via SSO or username/password. MFA applies only to the username/password flow. SSO login does not require MFA (the identity provider handles authentication).
SSO Only enabled: Regular users are forced to use SSO and cannot access username/password login. MFA and Passkey user settings are hidden for non-siteadmin users, and their profile email is now read-only.
Site administrators can always log in via username/password + MFA, even when SSO Only is enabled. They also retain full access to MFA and Passkey settings. Forced MFA setup is enforced when a site admin logs in with username/password.
When both SSO and Force MFA are enabled, logging in via SSO does not trigger the forced MFA setup.
Impact on API Access
API Keys
API keys are not affected by MFA or Force MFA. API key authentication continues to work normally regardless of MFA settings. No changes are required for integrations using API keys.
Basic Authentication
Basic Authentication (username and password sent via HTTP headers) will stop working when Force MFA is enabled. Since Basic Auth cannot perform an MFA challenge, requests will be rejected.
If your workflows rely on Basic Auth and you plan to enable Force MFA, migrate those integrations to use API keys instead.
Frequently Asked Questions
Q: I set up a passkey. Do I still need MFA?
Yes. Passkeys and MFA are independent features. MFA protects the password-based login flow. If Force MFA is enabled, you must have at least one MFA method configured regardless of passkey status.
Q: I'm not being asked for MFA anymore. Is something wrong?
You likely checked "Remember this device" during a previous login. Your device is trusted for the configured number of days. If you want to require MFA again, clear your browser cookies or wait for the trust period to expire.
Q: I used all my recovery codes. What do I do?
Contact your site administrator to reset your MFA. After the reset, you can set up MFA again and receive new recovery codes.
Q: Can I use the same passkey on multiple devices?
It depends on your passkey manager. Some password managers (like 1Password or iCloud Keychain) sync passkeys across devices. Platform-bound passkeys (like Windows Hello) are tied to a single device. Carousel supports registering multiple passkeys, so you can add one on each device you use.
Q: I'm an admin on an SSO-only site. Why can I see MFA settings but my users can't?
Site administrators retain access to MFA and passkey features even when SSO Only is enabled. This allows admins to maintain a local login option with MFA as a fallback in case the SSO provider is unavailable. Regular users are expected to authenticate exclusively through the SSO provider.