Skip to main content

Profile & 2FA

Your own account: display name and email, password change for local accounts, and TOTP two-factor enrollment with recovery codes. LDAP-federated accounts manage identity in the directory; 2FA still works for them.

Open it from the user menu (top right) → My Profile.

User information

The left card shows:

  • Username — read-only.
  • Auth Source — a LOCAL or LDAP tag.
  • Display Name and Email — editable for local accounts; Save Changes persists them.
note

For LDAP accounts the fields are disabled with a note — "Profile fields are managed by your LDAP directory." Change them in AD/LDAP instead. See Auth & RBAC.

There are no other per-user preferences here — table page size and similar UI defaults are org-wide settings under Settings → General.

Changing your password

Local accounts only (the card is hidden for LDAP users):

  1. Enter your Current Password.
  2. Enter a New Password — minimum 10 characters — and confirm it.
  3. Click Change Password.

A wrong current password or a policy violation is reported inline; on success the form clears.

Two-factor authentication (TOTP)

The right card shows your 2FA state. CertAutoPilot uses standard TOTP — Google Authenticator, Authy, 1Password, etc.

Enrolling

  1. Click Enable 2FA.
  2. Scan the QR code with your authenticator app, then click I've scanned the QR code.
  3. Enter the 6-digit code currently shown in the app and click Verify & Enable. A wrong code keeps you on this step (use Back to QR code to re-scan if needed).
  4. Save your recovery codes — 8 single-use codes in XXXX-XXXX format, shown once. Use Copy or Download (saves certautopilot-recovery-codes.txt), tick "I have saved these recovery codes", then finish.
warning

Recovery codes are displayed only at this moment (and on regeneration). Each code works exactly once. Store them outside the browser.

Once enabled, the card shows an Enabled tag with the enrollment date and a live recovery codes remaining count.

Logging in with 2FA

After username + password, login asks for your 6-digit TOTP code; a recovery code is accepted instead if your device is unavailable. When you drop to 2 or fewer remaining recovery codes, login warns you to regenerate.

Regenerating recovery codes

  1. Click Regenerate Recovery Codes.
  2. Enter your current TOTP code.
  3. A modal shows the new set of 8 codes — copy or download them before closing. All old codes are invalidated immediately.

Disabling 2FA

  1. Click Disable 2FA.
  2. Enter your password (local accounts; LDAP users skip this) and a TOTP code or recovery code.
  3. Confirm with Disable 2FA.

Whether disabling sticks depends on the org-wide OTP policy (Settings → Users, owner-only — see OTP policy):

  • Policy optional — 2FA stays off until you re-enable it.
  • Policy must — you can disable it here, but you'll be forced through the enrollment flow again at your next login. Users who never enrolled are forced into setup at login too.

Lockout

Lost your authenticator device?

  • With recovery codes — log in with a recovery code, then disable and re-enroll 2FA (or regenerate codes) from this page.
  • Without recovery codes — there is no self-service reset; an administrator has to intervene. See OTP policy for the administrative options.

See also