Two-factor authentication (2FA) is an extra layer of security that can be added to a user in the Control Panel, making it more difficult for unauthorized users to access your gateway.

When 2FA is enabled on a Control Panel user's account, the user will be required to enter both their normal password and a different code each time they sign in. Users can choose to receive this code via an application on their smartphone or a text message (SMS) to their mobile device.

How to enable 2FA

2FA is not enabled on user accounts by default, and each user must enable it themselves. We encourage you to have all of your Control Panel users enable 2FA for increased security. To enable 2FA, users can follow these steps:

  1. Log into the Control Panel
  2. Click on your user icon in the top right corner
  3. Click My User from the drop-down menu
  4. Scroll to the Two-Factor Authentication section
  5. Click the Enable button
  6. Enter your password when prompted
  7. Scan the QR code using one of the supported apps on your mobile device, or click the Use SMS As Primary link
  8. Enter the code you receive on your mobile device to complete the process*

*If you opt to use an app, you will find the initial code within that application. If you chose SMS as your preference, this code will be texted to you.

Setting up a Hardware Security Key

When 2FA is enabled on a user's account, they can then register a WebAuthn U2F compatible security key with their account:

  1. Log into the Control Panel
  2. Click on the gear icon in the top right corner
  3. Click Team from the drop-down menu
  4. Locate the user you would like to make changes to
  5. Click on the link in the Username, Name, or Email column
  6. Scroll to the Two Factor Authentication section
  7. Click the + Add Key button
note

The user will need a browser that is compatible with the WebAuthn API.

Signing in with 2FA

Once 2FA is enabled on a user account, every time they sign into the Control Panel they'll be prompted for their second factor in the following order:

  1. Hardware Security Key (if registered)
  2. Authenticator App (if registered)
  3. SMS Code

If a user that selected the app as their preferred method is unable to access the app at the time of login, they can have a code sent to their mobile device via SMS by clicking Text a code instead.

If a user that selected the Hardware Security Key as their preferred method is unable to access the app at the time of login, they can fall back to the Authenticator App or have a code sent to their mobile device via SMS by clicking Text a code instead.

note

The user will automatically fall back to the Authenticator App or SMS if their browser does not support the WebAuthn API.

Managing a Web Authentication (WebAuthn) Security Key

  1. Log into the Control Panel
  2. Click on the gear icon in the top right corner
  3. Click Team from the drop-down menu
  4. Locate the user you would like to make changes to
  5. Click on the link in the Username, Name, or Email column
  6. Scroll to the Two Factor Authentication section
  7. Click the Options link

How to Disable 2FA

If one of your users is locked out of the Control Panel, or is unable to access their mobile device at the time of login, your Braintree Account Admin will need to disable 2FA for that user's account:

  1. Log into the Control Panel
  2. Click on the gear icon in the top right corner
  3. Click Team from the drop-down menu
  4. Locate the user you would like to make changes to
  5. Click on the link in the Username, Name, or Email column
  6. Scroll to the Two Factor Authentication section
  7. Click the Disable button
note

Only users with the Account Admin role will be able to disable 2FA for other users in the Control Panel.

Contact us with questions.

Compatibility

Authenticator Apps

Braintree’s 2FA implementation is compatible with most Time-based One-Time Password (TOTP) applications. TOTP apps automatically generate an authentication code that changes after a certain period of time. Because they do not rely on incoming text messages, they are more reliable than SMS—especially for locations outside the US.

Popular TOTP apps include:

Hardware Security Keys

Braintree’s hardware 2FA implementation is compatible with the newest versions of Chrome, Firefox, Safari and Edge browser:

  • Chrome 67+
  • Firefox 60+
  • Safari 13+
  • Edge 18+

In addition, we support all FIDO U2F hardware security keys. Some popular Hardware Security keys include: