Clockwork Recruiting Multi-Factor Authentication

What is multi-factor authentication?

Multi-factor authentication (MFA) is a method of account access control that ensures greater security and identity protection. A user will be granted access only after he or she successfully submit multiple pieces of information to a given authentication mechanism. Typically this information falls into at least two of the following categories: knowledge (something she knows), possession (something she has), and inherence (something she is).

MFA in Clockwork

The Clockwork application uses multi-factor authentication to ensure that your identity and sensitive information stay protected at all times. Upon setup of MFA on a new or existing user account, the application will request your login email and password, and you will then be prompted to scan a QR code into one the various authenticator applications available (see the list below).

Once scanned, the authenticator app will read your QR code and give you a one-time only, super secret access code, which you can then enter into the space provided by the Clockwork application. Entered correctly, the access code will automatically open the Clockwork application. 

Note: MFA cookie expiration can vary from a matter of minutes to two weeks. The default for cookie expiration using MFA in Clockwork is two weeks.

Once the authenticator application has read your QR code, only that application on that device will be able to supply the correct access code to your account. Some authenticator applications allow you to connect multiple devices to a single account, but Clockwork does not support that at this time. If you need to enable multiple device features, contact the application directly, or follow the instructions in your authentication app.

MFA Using Authentication Applications

  1. Log in with your email and password.
  2. Download or access your preferred authenticator application (see a list of authentication applications, below).
  3. Scan the QR code onscreen with the authenticator application of your choosing.
  4. Enter the code provided by your authenticator application after successfully scanning the on-screen code.
  5. Voila! You are officially authenticated.

Authentication Applications

There are many free authenticator apps in both  Google Play and the App Store. But they’re not the same thing as QR readers — although you will need a QR scanner to make this all work, they are two separate tools. Be sure to select an authenticator app and not just a QR code reader.

Apple App Store:                                     Google Play:

Authy                                                         Authy

Google Authenticator                                 Google Authenticator

Microsoft Authenticator                             Microsoft Authenticator

Duo Mobile                                                 Duo Mobile

MFA Using Other Methods

Time-based one-time passcodes (TOTP)

TOTP-based two-factor authentication involves generating a temporary, unique passcode that only works for a certain amount of time, typically 30-60 seconds. After generating the passcode, a user must type it in manually to authenticate for access.


The process for multi-factor authentication using email is as follows:
  1. A user logs into a website/application with a username and password.
  2. A unique one-time code is generated on the server and sent via email to the user.
  3. The user retrieves the code from the email and enters the code into the app.If it's valid, the user is authenticated and a session is initiated.

For more documentation on TOTP and Email authentication, reference the following: Different Ways to Implement  MultiFactor  Authentication


  • If your application can’t read the QR code, try a different authenticator application.
  • If the code supplied by your application is not correct, wait for the application to refresh with a new code and enter it again. Also, make sure you’re using the correct code for the account you’re trying to access. You can do this by confirming in your application that the name and login email attached to the code is the same as the login information you are attempting to use.
  • If you’ve tried all that and you’re still having trouble, contact Clockwork support.
Did this answer your question? Thanks for the feedback There was a problem submitting your feedback. Please try again later.