Skip to main content

Security & Multi-Factor Authentication

Worth takes security seriously. This guide will help you protect your account and understand our security features.

Multi-Factor Authentication (MFA)

Multi-Factor Authentication adds an extra layer of security to your account. Even if someone gets your password, they won't be able to access your account without the second factor.

What is MFA?

MFA requires two things to log in:

  1. Something you know - Your password
  2. Something you have - Your phone or email

This means that even if your password is compromised, your account stays secure.

Setting Up MFA

An authenticator app generates time-based codes that change every 30 seconds.

Step 1: Navigate to Settings

  1. Click your profile icon
  2. Select "Account Settings"
  3. Go to "Security" tab

Step 2: Enable Authenticator

  1. Click "Enable Authenticator App"
  2. Download an authenticator app if you don't have one:
    • Google Authenticator (iOS/Android)
    • Authy (iOS/Android/Desktop)
    • Microsoft Authenticator (iOS/Android)
    • 1Password (if you use 1Password)

Step 3: Scan QR Code

  1. Open your authenticator app
  2. Tap "Add Account" or "+" button
  3. Scan the QR code displayed on Worth
  4. Your app will start showing 6-digit codes

Step 4: Verify Setup

  1. Enter the 6-digit code from your app
  2. Click "Verify and Enable"
  3. You're done! Your authenticator is now active

Step 5: Save Backup Codes After enabling MFA, you'll see 10 backup codes. Save these somewhere safe!

These codes can be used if you lose your phone or can't access your authenticator app. Each code can only be used once.

Option 2: Email Codes

If you don't want to use an authenticator app, you can receive codes via email.

How It Works:

  1. You log in with your password
  2. Worth sends a 6-digit code to your email
  3. You enter the code to complete login

Note: Email codes are less secure than authenticator apps because email accounts can be compromised.

Using MFA to Log In

With Authenticator App

  1. Enter your email and password
  2. When prompted, open your authenticator app
  3. Enter the current 6-digit code
  4. Click "Verify"

Tip: Codes change every 30 seconds. If a code doesn't work, wait for the next one.

With Email Code

  1. Enter your email and password
  2. Check your email for a code (check spam if you don't see it)
  3. Enter the 6-digit code
  4. Click "Verify"

Note: Email codes expire after 10 minutes.

Using Backup Codes

If you lose your phone or can't access your authenticator:

  1. At the MFA prompt, click "Use backup code instead"
  2. Enter one of your saved backup codes
  3. Click "Verify"

Each backup code can only be used once. After using a code, mark it as used in your records.

Trusted Devices

To make logging in more convenient on devices you use regularly, you can mark them as trusted.

How to Trust a Device

  1. After verifying MFA, check the box "Trust this device for 30 days"
  2. Click "Continue"

Your device is now trusted and you won't need to enter MFA codes for 30 days.

Managing Trusted Devices

View Trusted Devices:

  1. Go to Account Settings → Security
  2. Scroll to "Trusted Devices"
  3. See all devices you've trusted

Device Information:

  • Device name (e.g., "Chrome on MacBook Pro")
  • When it was trusted
  • Last used date
  • When trust expires

Remove Trust:

  1. Find the device in your trusted devices list
  2. Click "Revoke Trust"
  3. Confirm the action

When to Remove Trust:

  • You sold or lost the device
  • The device was stolen
  • You no longer use the device
  • You suspect unauthorized access

Regenerating Backup Codes

If you've used most of your backup codes or lost them, you can generate new ones.

Important: Generating new codes will invalidate all old codes.

Steps:

  1. Go to Account Settings → Security
  2. Click "Regenerate Backup Codes"
  3. Verify your identity (MFA prompt)
  4. Save your new 10 backup codes
  5. Old codes are now invalid

Disabling MFA

We don't recommend disabling MFA, but you can if needed.

Steps:

  1. Go to Account Settings → Security
  2. Click "Disable Multi-Factor Authentication"
  3. Verify your identity (MFA prompt)
  4. Confirm you want to disable MFA

Warning: This makes your account less secure.

Sensitive Actions Requiring Step-Up Authentication

Some actions on Worth require recent MFA verification, even if you're already logged in. This is called "step-up authentication."

Actions Requiring Step-Up:

  • Withdrawing funds from your organization
  • Linking a new bank account
  • Changing payout settings
  • Disabling MFA
  • Adding an organization admin
  • Changing security settings
  • Viewing certain sensitive contracts

How It Works:

  1. You attempt a sensitive action
  2. If you haven't verified MFA recently (within 15 minutes):
    • You'll be prompted to verify MFA again
    • Enter your authenticator code or email code
  3. After verification, you can complete the action
  4. Step-up verification lasts 15 minutes

This protects you if someone gains access to your logged-in session (e.g., you left your computer unlocked).

Security Best Practices

Protect Your Account

Use a Strong Password:

  • At least 12 characters
  • Mix of uppercase, lowercase, numbers, symbols
  • Don't reuse passwords from other sites
  • Consider using a password manager

Enable MFA:

  • Use authenticator app (most secure)
  • Keep backup codes safe
  • Don't share codes with anyone

Trust Devices Carefully:

  • Only trust personal devices
  • Don't trust public or shared computers
  • Remove trust from old devices

Protect Your Organization

Manage Member Access:

  • Review organization members regularly
  • Remove members who no longer need access
  • Use appropriate roles (don't make everyone an admin)

Monitor Activity:

  • Check for unfamiliar logins
  • Review financial transactions regularly
  • Set up notification preferences

Secure Financial Operations:

  • Verify bank account details before adding
  • Review withdrawal requests carefully
  • Use step-up authentication for sensitive actions

Troubleshooting

I Lost My Phone With My Authenticator App

Solution: Use a backup code

  1. At the MFA prompt, click "Use backup code instead"
  2. Enter one of your saved backup codes
  3. After logging in, go to Settings → Security
  4. Disable the old authenticator
  5. Set up authenticator on your new device

Don't have backup codes? Contact Worth support at platform@getworth.co with:

  • Your email address
  • Organization name
  • Proof of identity (we'll guide you through this)

My Authenticator Codes Don't Work

Check These Common Issues:

Wrong Time on Your Phone:

  • Authenticator apps rely on accurate time
  • Go to phone settings → ensure "Set time automatically" is enabled

Using an Old Code:

  • Codes change every 30 seconds
  • Wait for the next code and try again

Wrong Account in App:

  • Make sure you're looking at the right Worth account
  • You might have multiple accounts in your authenticator

App Out of Sync:

  • Some apps have a "sync time" option
  • Open your authenticator app settings and look for this

I Didn't Receive an Email Code

Check These:

  1. Spam/Junk Folder - Email might have been filtered
  2. Correct Email - Verify the email on file is correct
  3. Wait a Moment - Emails can take 1-2 minutes
  4. Request New Code - Click "Resend code"

Still Not Receiving? Contact your IT department or email provider - they might be blocking Worth emails.

I'm Locked Out

If you're completely locked out (no phone, no backup codes, no email access):

  1. Contact Worth support: platform@getworth.co
  2. Provide:
    • Your email address
    • Organization name
    • Recent transaction or activity details (to verify identity)
  3. We'll help you regain access securely

Frequently Asked Questions

Is MFA required? MFA may be required depending on your account settings. Some organizations require all members to use MFA. Contact Worth if you have questions about your specific requirements.

Can I use the same authenticator for multiple devices? Yes! Most authenticator apps sync across devices. Check your app's settings for backup/sync options.

What happens if I use all my backup codes? Generate new ones in Settings → Security → Regenerate Backup Codes. This will create 10 new codes and invalidate the old ones.

Can I have both authenticator and email codes? You can set up an authenticator app, but email codes are only available if you haven't enabled an authenticator. We recommend using an authenticator app for better security.

How long do trusted devices last? 30 days. After 30 days, you'll need to verify MFA again to continue using that device.

Can someone steal my backup codes? Only if they access where you've stored them. Keep them as secure as you would a password - consider using a password manager or secure note-taking app.

Questions? Contact Worth support at platform@getworth.co