MFA + Backup Codes

Why backup codes matter

TOTP alone is strong — but if you lose the device, the only recovery path is a manual support ticket. RadMah AI solves this with 10 bcrypt-hashed backup codes generated at enrolment. Each is a one-time xxxx-xxxx code (8 lowercase chars, hyphenated), consumed on use, visible as a remaining count in Settings.

1. Go to Settings → Security
2. Click Set up MFA
3. Scan the QR code with any TOTP app (Google Authenticator, Authy, 1Password)
4. Enter the 6-digit code
5. Save your backup codes — they appear in an amber card with a Copy-all button

On login, enter your email + password → the platform responds with a 202 Accepted + an mfa_pending token. The UI then prompts for either a current 6-digit TOTP OR an unused xxxx-xxxx backup code. Backup codes are consumed on use; the remaining count reflects this immediately.

Settings → Security shows a coloured status row:

• Emerald — healthy (≥3 remaining)
• Amber — running low (1-2, consider regenerating)
• Rose — 0 remaining, regenerate immediately

Settings → Security → Regenerate → enter a current 6-digit TOTP → fresh 10-code set appears. Your old codes no longer work.

API reference

curl -X GET https://api.radmah.ai/v1/client/auth/mfa/setup \
    -H "Authorization: Bearer $TOKEN"

Security posture

• bcrypt rounds=10 matches our password-hashing posture
• Constant-time verify via bcrypt.checkpw — no timing discrimination
• No code ever appears in logs, errors, or evidence bundles
• ~68 years median brute-force time per code on commodity hardware