Two-factor authentication FAQ

This is a short list of our most frequently asked questions about two-factor authentication. For more information about this feature, please see our main documentation or contact support.

Do I have to pay more for two-factor authentication on my Shotgun site?

No. We believe two-factor authentication is an important security feature that everyone should have.

Can two-factor authentication be enabled on a per-user basis?

At this time, two-factor authentication can only be enabled on a global basis.

What if my phone is lost or stolen?

Hopefully you’ve got backup codes! If you do, you should use them until you get a new mobile device. If you don’t, get in touch with your Shotgun Admin ASAP! You can request help from the two-factor authentication code entry screen after entering in your password. Clicking “Get help” will automatically email all of the Admins for your Shotgun site (and CC you). You can also of course get in touch with them directly. From there, your Admin will need to reset your two-factor authentication settings and you will need to re-configure two-factor authentication for your account with your replacement device. If you don’t have a replacement device or backup codes, Shotgun allows Admins to generate backup codes on behalf of a user (where the Admin will then give you the codes) to help with these situations as a last resort.

What if I don’t have my phone with me (but it’s not lost or stolen)?

The answer here is essentially the same as the scenario where your phone is actually lost. Use backup codes if you have them and ask your Admin for help if you don’t.

What if I get a new phone?

Congratulations on getting a new phone! Once you have it up and running, be sure to update your account settings and pair your new phone to your Shotgun account. If you use multiple Shotgun sites, you will need to do this on all of the sites that have two-factor authentication enabled. Note that you may still need your old phone to log into Shotgun one more time in order to change your settings. You can of course also use a backup code for this. If all else fails, request help from your Admin, as described above.

What if I lose my backup codes?

If you lost the printout of your backup codes, you can revoke them in your account settings. Click Show Backup Codes, then click Generate new codes. This will invalidate the previous set of backup codes and generate a new set.

Can I receive codes via text message (SMS) instead of using the Google Authenticator app?

No, though this is in our long-term plans.

Can I still get a code if I my mobile phone doesn’t have data reception?

Yes! Neither the Google Authenticator app nor the Duo Mobile app require a data connection to generate two-factor authentication codes, as long as your mobile phone’s date/time setting are in sync. As you can see in the screencap, Google Authenticator will continue to refresh its codes even in airplane mode.

Why aren’t my Google Authenticator codes working (Android)?

This might be because the time on your Google Authenticator app is not synced correctly.

To make sure that you have the correct time:

  1. Go to the main menu on the Google Authenticator app.
  2. Click Settings.
  3. Click Time correction for codes.
  4. Click Sync now.

On the next screen, the app will confirm that the time has been synced, and you should now be able to use your verification codes to sign in. The sync will only affect the internal time of your Google Authenticator app, and will not change your device’s Date and Time settings.

Do all of the users on my Shotgun site need to use two-factor authentication?

For now, yes.

Can I use [insert your favorite alternate two-factor authentication option] instead of Google Authenticator or Duo Mobile?

Technically, yes. Shotgun uses a Time-based One-Time Password algorithm (TOTP), so any app that can scan QR codes for set up and generate code with the TOTP algorithm should work. One example is the Chrome Authenticator ( If you have specific needs for a different option than what we provide, let’s discuss that requirement! Start a thread in our feature request forum, send an email to the shotgun-dev list, or reach out through support. We’d love to talk.

Are API calls or mobile logins affected by two-factor authentication?

Yes, it affects all logins (API, mobile, web).

How does two-factor authentication work with API calls?

If you are using user-based authentication via the API, the script will always need human intervention, just to start the script. When you run the script, it will return a prompt asking for the secondary credential.