Two-step login
Two-step login (also known as two-factor authentication or 2FA) prevents anyone from maliciously accessing your Bravura Safe data (even if they somehow get your master password) by requiring authentication from a secondary device when you log in.
Many different methods are used for two-step login, including: authenticator apps, email and hardware security keys.
Two-step login is used at two levels for Bravura Safe:
Enterprise Team two-step login (for everyone)
Individual safe two-step login (for you only)
The following topics show you how to modify two-step login for yourself. For details on enforcing Enterprise two-step login, see Enforce Enterprise two-step login .
Note
Individual two-step login can be enforced by the Enterprise Team administrator via Teams > [Enterprise Team] > Settings > Policies > Require two-step login.
New users are automatically set up with Bravura OneAuth and/or two-step login via email. This can be changed as desired.
To configure two-step login for your individual safe:
Open and log in to the Bravura Safe web interface.
Click on the profile menu at top right (your initials/avatar).
Select Account settings.
Select Security from the ACCOUNT SETTINGS menu.
Click on the Two-step login tab.
Locate the desired Provider and click Manage.
Follow the displayed instructions (see examples below) and click Turn on.
See examples below:
Authenticator app
Bravura OneAuth
The following topics show you how to install the HYPR app that powers Bravura OneAuth, pair your phone to Bravura OneAuth during login, and manage paired devices.
The HYPR 
mobile app allows you to securely authenticate to Bravura Security Fabric from anywhere.
Download and install the HYPR mobile app by using one of the following links:
The HYPR app for Android is available for download from Google Play.
The HYPR app for Apple iOS is available for download from the App Store.
Follow the instructions on your mobile device to set up biometric authentication (Touch ID or Face ID).
After you have installed the HYPR app on your device and set up biometric authentication (Touch ID or Face ID) you can pair your phone to Bravura OneAuth during Bravura Security Fabric login.
Open the Bravura Safe application on your computer or mobile device. See First steps.
Log in.
Bravura OneAuth automatically detects if you do not yet have a mobile device registered for authentication.
Click or tap Send registration email.
On your mobile device:
Open the Bravura Security Fabric " Bravura OneAuth device registration" email.
Tap Register Device.
Tap Get Started.
A Bravura OneAuth web account is created using your email address, and your mobile device begins pairing:
A prompt appears for biometric authentication:
Note
In this example, the user has configured Touch ID. You may also use Face ID.
Authenticate to Bravura OneAuth using your mobile device's configured biometric method.
You may be prompted with PIN enrollment.
Enter and confirm a 6-digit PIN.
Pairing continues.
After successful biometric authentication, your device is successfully paired to your Bravura OneAuth web account.
Tap OK.
Bravura OneAuth displays your application web account.
Tap the account row to view details; for example, the associated email address.
Note
You may register/pair multiple devices to your Bravura OneAuth web account via Bravura Safe and the Bravura OneAuth Device Manager.
You may now log in to Bravura Safe using your master password and Bravura OneAuth.
After you have installed the HYPR app on your device and set up biometric authentication (Touch ID or Face ID) you can pair your phone to Bravura OneAuth via a magic link on your web browser. A magic link is usually sent in your invitation email.
On your computer:
Open your email to locate the message containing the magic link (URL) that was sent to you by your Bravura OneAuth administrator.
Click the link.
Bravura OneAuth opens.
Under "What device would you like to pair?" click Smartphone.
A QR code and instructions are displayed.
On your phone:
Open the HYPR
app.
Tap the scan icon located at the top right.
Aim your phone's camera at the QR code on the computer screen.
Your phone will begin pairing to Bravura OneAuth and then prompt for biometric authentication.
Note
In this example, the user has configured Touch ID. You may also use Face ID.
Authenticate to the HYPR app using a biometric authentication method configured for your device (Touch ID, Face ID).
You may be prompted with PIN enrollment.
The HYPR app will indicate that your phone has been successfully paired to your Bravura OneAuth account.
Tap OK.
The HYPR app shows the paired application account. If your phone is paired to more than one Bravura OneAuth account, they will all be listed here.
Click on an account to view details (such as your Username/email address).
Tip
You can delete an account from this screen.
On your computer:
The Bravura OneAuth will display your paired device.
Tip
From this page, you can Add Another Device to your Bravura OneAuth account, or Unpair an existing device.
Click Logout to log out from Bravura OneAuth Device Manager and then close the browser tab.
Once you have successfully paired your phone to your Bravura OneAuth account using the magic link, you will be able to use Bravura OneAuth as a second factor to authenticate to Bravura Safe.
These instructions assume that Bravura OneAuth has been enabled for your enterprise and the following steps have been completed:
Set up biometric authentication (Touch ID or Face ID) on your mobile device
Invited/accepted/confirmed to a Bravura Safe Team
Created a Bravura Safe account with a master password
On your computer or mobile device
Open the Bravura Safe application:
Web interface (shown below): Navigate to your company's Bravura Safe instance URL.
Desktop or Mobile: Open the Bravura Safe application.
Enter your Bravura Safe account Email address.
Optionally, select or toggle on Remember email so you do not have to enter it next time.
Click or tap Continue.
Enter your Bravura Safe account Master password.
Click Log in with master password (tap Log in for mobile).
Note
When Bravura OneAuth is configured/enabled for the enterprise (global) Team, it will be used as the default second factor of authentication for all users accessing Bravura Safe.
A "
Check device for notification" prompt appears.
If you have not yet paired your mobile device, see Pair your phone to Bravura OneAuth during Bravura Safe login.
Note
If you've forgotten or lost your phone, see Replace a paired mobile device.
A lost phone should be reported immediately to your IT department so it can be de-authorized.
On your phone
Tap the HYPR authentication notification; HYPR Tap to Authenticate.
If the notification appears on your phone's lock screen, open the HYPR app and unlock your phone to proceed.
Tap Login.
To cancel, tap Deny.
You are prompted for biometric authentication (Touch ID or Face ID).
Authenticate to the HYPR app using a configured biometric method for your device.
After successful multi-factor authentication including Bravura OneAuth, you are logged in to Bravura Safe on your computer.
Note
This procedure must be completed using the Bravura Safe web interface and your mobile device(s).
This topic shows you how to replace a device paired with Bravura OneAuth, either as a planned replacement or after an unplanned loss of the old device.
If you want to replace a mobile device and still have access to the old one, follow these steps.
Transfer all data from your old device to your new device. The exact procedure will vary depending on the operating system.
Set up biometric authentication (e.g. Touch ID, Face ID) on your new device.
This is typically done in device settings. Instructions vary by operating system.
If you have been using an authenticator app (e.g., Google Authenticator, Microsoft Authenticator, etc.) for two-step login (2FA), check that TOTP codes were automatically transferred to the new device.
If the codes were not automatically transferred to the new device, manually transfer/export authenticator accounts from your old phone to your new phone. Instructions vary based on the authenticator app(s) you are using. Perform this task for each authenticator, as required.
Access the Bravura OneAuth Device Manager to de-register your old device and register your new device:
You may register/pair multiple devices to your Bravura OneAuth web account.
If you want to replace a mobile device and do not have access to the old one, follow these steps.
Set up biometric authentication (e.g. Touch ID, Face ID) on your new device.
This is typically done in device settings. Instructions vary by operating system.
If you were using an authenticator app(s) for two-step login (2FA) on your old device; for example, Google Authenticator, Microsoft Authenticator, etc.:
Install the desired authenticator app(s) on your new device.
Set up authenticator accounts/TOTP codes again for use in 2FA.
Log into Bravura Safe using another two-step login method.
Warning
If do not have an EMAIL option and any previously used AUTHENTICATOR APP accounts/TOTP codes were not successfully transferred from your OLD device to your NEW device, you will not be able to log in to Bravura Security Fabric . Please contact Bravura Security Support. A manual change to the Bravura Security Fabric database is required to restore Email PIN as an available two-step login (2FA) method, after which you can select EMAIL.
Access the Bravura OneAuth Device Manager to de-register your old device and register your new device:
You may register/pair multiple devices to your Bravura OneAuth web account.
This topic shows you how to manage mobile devices that are registered/paired to your Bravura OneAuth account.
To access Bravura OneAuth Device Manager from Bravura Safe:
Log in to the Bravura Safe web interface.
Click Teams.
Select the Enterprise Team from the Team drop-down (i.e., your main/global company team).
Click the Options tab.
Click Open Bravura OneAuth device manager.
A confirmation message appears.
Click Yes.
The Bravura OneAuth Device Manager opens in a new browser tab showing all devices currently paired to your Bravura OneAuth account.
From here you can De-register/unpair a device and Register a new device.
To de-register/unpair a device:
Click Remove beneath the desired device.
A confirmation message appears.
Click Remove.
The selected device is de-registered/unpaired from your Bravura OneAuth account, removed from your Device Manager Login Methods list and removed from MY WEB ACCOUNTS in the Bravura OneAuth app on your mobile device.
If the removed registered device was your only one, the Device Manager UI displays "No Login Methods Found":
This procedure assumes you have installed the HYPR app on your new mobile device.
From the Bravura OneAuth Device Manager, click Add New Login Method.
A pop-up appears:
Tip
To see a walk-through of all steps included here, click Walk me through how to add a login method.
To proceed with adding a new login method, click HYPR Mobile App.
A QR code appears:
Follow on-screen instructions to pair your device.
Note
If you are having an issue scanning the QR code, click Pair Manually and follow the on-screen instructions:
Once your mobile device is successfully paired to your Bravura OneAuth Device Manager displays the "Login Method Added Successfully!" message.
Once pairing is successful, your new device will appear listed under Login Methods. You may now use this device for passwordless authentication to Bravura Safe using Bravura OneAuth.
Email verification
To set up individual two-step login via email for your safe:
Log in to Bravura Safe via the web interface.
Click the profile menu (your initials) and select Account Settings.
From the ACCOUNT SETTINGS menu, select Security.
Click the Two-step login tab.
Next to the Email option, click Manage.
Enter your Master password and click Continue.
Note
If email verification is already "TURNED ON", click Close to exit and skip the following steps.
Enter the email address where you want to receive verification codes.
Click Send email.
Check your inbox for an email message with "Your Two-step Login Verification Code".
Enter the 6-digit code in the dialog box.
Click Turn on.
A notification message appears.
Note
To disable email verification, click Turn off. A confirmation message appears. Click Yes to proceed. The green check mark is removed from the Email option.
Click Close.
The Email option is enabled when a green check mark appears next to it.
Note
To activate two-step login via Email immediately for each app, log out of all Bravura Safe apps. You will eventually be logged out automatically.
Note
The steps below assume that 'Email' is your highest-priority authentication provider/method that is turned on for your individual safe and that enterprise Two-step login is not enforced. See Using multiple two-step login providers.
To log in to Bravura Safe using your master password and two-step login with email verification:
Open the Bravura Safe application:
Web interface (shown below): Navigate to your company's Bravura Safe instance URL.
Desktop or Mobile: Open the Bravura Safe application.
Enter your Bravura Safe account Email address.
Optionally, select or toggle on Remember email so you do not have to enter it next time.
Click or tap Continue.
Note
If your company has configured enterprise single sign-on (SSO), see Log in with SSO.
To log in using an enabled secondary device without having to enter a master password, see Log in with device.
Enter your Bravura Safe account Master password.
Click Log in with master password (tap Log in for mobile).
You are prompted to
Enter the 6-digit verification code that was emailed to [your configured email].
Check your inbox for the 6-digit verification code.
Enter this code in the field provided (see above).
Optionally, select or toggle on Remember me to not require a second authentication factor for 30 days.
Click or tap Continue to finish logging in.
Once logged in, you will not need a second authentication factor to Unlock your safe.
Note
If your login session times out, you will receive the following notification. Reload/Refresh your browser and log in again.
When you are logging in using two-step login with email verification and you do not receive the verification code email:
Enter your email address in the provided field.
Click Send verification code email again on the verification pop-up to resend the email.
A notification message appears.
To change individual two-step login via email for your safe:
Log in to Bravura Safe via the web interface.
Click the profile menu (your initials) and select Account Settings.
From the ACCOUNT SETTINGS menu, select Security.
Click the Two-step login tab.
The Email option is enabled when a green check mark appears next to it.
Next to the Email option, click Manage.
Enter your Master password and click Continue.
Click Turn off.
A confirmation message appears.
Click Yes to proceed.
To disable email verification, you can stop here and skip remaining steps. To change your email address, proceed below.
Next to the Email option, click Manage.
Enter your Master password and click Continue.
Change the email address where you want to receive verification codes.
Click Send email.
Check your inbox for an email message with "Your Two-step Login Verification Code".
Enter the 6-digit code in the dialog box.
Click Turn on.
A notification message appears.
Click Close.
The Email option is enabled when a green check mark appears next to it.
Note
To activate two-step login via Email with your new email address immediately for each app, log out of all Bravura Safe apps. You will eventually be logged out automatically.
Authenticator app
To enable two-step login for your individual safe using an authenticator app and a secondary (e.g. mobile) device:
Log in to Bravura Safe via the web interface.
Click the profile menu (your initials/avatar) and select Account Settings.
Select Security from the ACCOUNT SETTINGS menu.
Click the Two-step login tab.
Next to the Authenticator app option, click Manage.
Enter your Master password.
Click Continue.
If you do not have an authenticator app on your mobile device, download one.
Note
Links are provided on the TWO-STEP LOGIN page, as above.
Open the authenticator app on your device and add a new account.
Scan the provided QR code with your device and authenticator app.
Enter the resulting 6-digit verification code from the app.
Click Turn on.
A green
"TURNED ON"message will indicate that two-step login via Authenticator App has been enabled.
Click Close.
Confirm that the Authenticator app option is enabled, as indicated by a green checkbox.
Note
To activate two-step login immediately for each app, log out of all Bravura Safe apps. You will eventually be logged out automatically.
Note
The steps below assume that 'Authenticator app' is your highest-priority authentication provider/method that is turned on for your individual safe and that enterprise Two-step login is not enforced. See Using multiple two-step login providers .
To log in to Bravura Safe using your master password and two-step login with an authenticator app:
Open the Bravura Safe application:
Web interface (shown below): Navigate to your company's Bravura Safe instance URL.
Desktop or Mobile: Open the Bravura Safe application.
Enter your Bravura Safe account Email address.
Optionally, select or toggle on Remember email so you do not have to enter it next time.
Click or tap Continue.
Note
If your company has configured enterprise single sign-on (SSO), see Log in with SSO.
To log in using an enabled secondary device without having to enter a master password, see Log in with device.
Enter your Bravura Safe account Master password.
Click Log in with master password (tap Log in for mobile).
You are prompted to
Enter the 6-digit verification code from your authenticator app.
Open the authenticator app on your secondary device and find the 6-digit verification code for Bravura Safe.
Enter this code in the field provided.
Optionally, select or toggle on Remember me to not require a second authentication factor for 30 days.
Click or tap Continue to finish logging in.
Once logged in, you will not need a second authentication factor to Unlock your safe.
Note
Typically, verification codes change every 30 seconds. If your login session times out, you will receive the following notification. Reload/Refresh your browser and log in again.
Using multiple two-step login providers
More than one two-step login method can be used to secure your safe. In this case, when you log in, you are prompted for the highest-priority second-factor authentication method (see below; 1 = highest priority).
Bravura OneAuth
Authenticator app
Email
Example:
If you have both an Authenticator app (priority 2) AND Email (priority 3) providers turned on for your individual safe via Account settings > Security > Two-step login and you log in; because Authenticator app has a higher priority than Email, you will be prompted for a verification code from your Authenticator app as a second authentication factor.
Using the same example, if the Enterprise Team has two-step login enforcement configured using Bravura OneAuth, that will take priority as your second authentication factor.
Note
Any provider/method will still allow you to authenticate.
To use a lower-priority method (e.g. Email), click Use another two-step login method and then Select another available (enabled) method.
From a Bravura Safe mobile app, tap the vertical ellipsis icon at top right, select Use another two-step login method, select the desired alternative method and proceed with authentication.
Caution
If you typically log in using single sign-on (SSO), do not turn on two-step login via email.