What types of 2FA does Group Factor support?

Group Factor supports two types: SMS 2FA (codes sent to a phone number via text, where you configure the service to text your team's dedicated Twilio number) and TOTP authenticator app codes (the 6-digit rotating codes used by apps like Google Authenticator, added via base32 secret key). It does not support hardware keys (YubiKey), push notifications (Duo), or email-based codes.

Can I use Group Factor with Google, GitHub, or AWS?

GitHub, AWS, and most SaaS tools work with both SMS and TOTP. Google accounts typically reject VoIP numbers like Twilio for SMS 2FA — use TOTP instead. Banks and financial services generally support SMS 2FA but results vary.

How much does Group Factor cost?

Group Factor offers a free plan for team members and a Business plan at $20.83 per team per month (billed annually) or $25 per team per month (billed monthly). There is a 3-day free trial with no setup fees.

How long are codes kept?

SMS codes are kept in memory for 10 minutes, then automatically purged. TOTP codes are generated on demand and never stored — they are computed from the secret each time.

Help & FAQ — Group Factor 2FA Code Sharing

What is Group Factor?

Group Factor is a team 2FA relay. Instead of a 2FA code going to one person's phone — and locking everyone else out if that person isn't available — it comes to a shared team inbox where every authorized member can see it instantly.

It works for both types of 2FA:

SMS codes — the service texts a code to your team's Twilio number instead of a personal phone.
Authenticator app codes — you add the TOTP secret once and the whole team sees the live rotating code.

💡

Group Factor is ideal for shared accounts — AWS root, social media logins, billing portals — where 2FA codes shouldn't depend on one person being available.

How it works

The flow from login attempt to code in 30 seconds or less.

SMS codes

The super admin creates a team and a Twilio number is automatically provisioned for it.
You configure the service (bank, cloud console, etc.) to send 2FA texts to that Twilio number.
The next time a code is sent, Twilio forwards it to Group Factor.
Every team member with the app open sees the code appear instantly — no refresh needed.
Members with SMS forwarding enabled also receive the code as a text to their personal phone.

TOTP codes

The super admin finds the base32 secret key for the service (shown when setting up an authenticator app).
They add it to the team via Admin → select team → Authenticators.
All team members immediately see the live 6-digit code with a countdown bar.
The code updates automatically every 30 seconds — identical to what Google Authenticator would show.

SMS 2FA codes

Receive 2FA codes sent by SMS — banks, cloud platforms, SaaS tools — shared with your whole team in real time.

Setting up a service to use your team number

Every team in Group Factor has a dedicated phone number (e.g. +1 902 555 0123). To route a service's 2FA texts to your team:

Go to the service's account security settings.
Find the two-factor authentication or phone number section.
Enter your team's Twilio number as the phone number for SMS codes.
The service will send a verification code to confirm — this appears in Group Factor immediately.
Enter that code back in the service to complete the setup.

⚠️

Some services (like Google) only allow personal phone numbers for 2FA and will reject VoIP numbers like Twilio. TOTP is a better option for those.

Phone number format

Your team's number is shown in the admin panel in E.164 format: +15550001234. Most services will also accept it formatted as (555) 000-1234 or 555-000-1234.

Message display

Each code appears as a card in the feed showing the sender number, the full message body, and the extracted code highlighted in blue. Cards auto-expire after 10 minutes.

TOTP authenticator

For services that use authenticator apps (Google Authenticator, Authy, 1Password, etc.), Group Factor can generate the same rotating codes — shared with the whole team.

What is TOTP?

TOTP (Time-based One-Time Password) generates a 6-digit code that changes every 30 seconds. It's based on a secret key stored by both the service and your authenticator. Group Factor stores that same secret and generates the identical code on the same schedule.

Finding the secret key

When you set up an authenticator app for a service, it shows a QR code. That QR code contains a base32 secret key. To get the raw key:

Look for a link like "Can't scan? Enter manually" or "Show key" near the QR code.
The key looks like: JBSWY3DPEHPK3PXP — uppercase letters and the digits 2–7.
Spaces in the displayed key don't matter — paste it as-is.

⚠️

The secret key is shown only once during initial setup. If you've already scanned the QR code without saving the key, you'll need to remove and re-add the authenticator on the service to get it again.

Adding an authenticator to a team

Go to Admin → select the team → scroll to Authenticators.
Enter the service name (e.g. "GitHub", "AWS Console").
Paste the base32 secret key.
Click Add — the code is validated immediately.

All team members will see the live code on their feed right away. The card shows a depleting progress bar — when it turns red, the code expires in under 5 seconds.

SMS forwarding

Get incoming codes sent directly to your personal phone as a text — useful when you're away from your computer.

Setting it up

Go to Settings (gear icon, top right).
Enter your personal mobile number under Mobile number in E.164 format: +15550001234.
Toggle on Forward codes to my phone.
Click Save changes.

How forwarded messages look

Forwarded texts come from your team's Twilio number, so you can see which team (and therefore which service) the code is for. The message is prefixed with the team name: [Engineering] Your code is 481623.

✓

Forwarding works for SMS codes only. TOTP codes rotate every 30 seconds, so a forwarded text would expire before it's useful — just check the app instead.

Turning it off

Go to Settings, toggle off Forward codes to my phone, and save. You can also just clear your phone number to disable it automatically.

Teams

Teams are how Group Factor organises access. Each team has its own phone number and member list. Members only see codes for teams they belong to.

Creating a team

Only the super admin (the account that signed up first) can create teams. From the Admin panel:

Click + New in the sidebar.
Enter a team name, choose a country, and optionally specify an area code.
Click Create team — a Twilio number is provisioned automatically.

Supported countries: 🇺🇸 United States, 🇨🇦 Canada, 🇬🇧 United Kingdom, 🇦🇺 Australia.

Adding members

From Admin → select a team → Members section:

Add — instantly adds an existing Group Factor user by email.
Invite — sends an invitation email to someone who doesn't have an account yet.

Billing

Teams cost $5/team/month. Your Stripe subscription quantity updates automatically as you create or delete teams. Manage your payment method and invoices via the Manage billing button in the admin panel.

Troubleshooting

Codes not appearing in the feed

Check the Live badge in the top bar — if it shows "Disconnected", refresh the page.
Confirm the service is configured to send to the correct Twilio number (check Admin → team → phone number).
If you recently changed the webhook URL, old Twilio Messaging Services keep their own webhook setting — update it directly in the Twilio Console under Messaging → Services.
Check that your area code and country match. Some Canadian area codes require the country to be set to CA, not US.

TOTP code doesn't work

Make sure you pasted the raw base32 key, not a QR code URL or image.
The key should only contain letters A–Z and digits 2–7. If yours has other characters, it may be Base64 or hex — those aren't supported.
If the code is consistently off by one window (30 seconds), your server clock may be out of sync — this is rare on hosted servers but can happen locally.

SMS forwarding not working

Confirm your number is in E.164 format: +15550001234 (country code, no spaces or dashes).
Make sure forwarding is toggled on and you clicked Save.
Twilio cannot send SMS to some VoIP or landline numbers — use a real mobile number.

Invitation email not received

Check the spam folder.
The invitation link expires after 7 days — ask the admin to re-send it.
In development, invitation URLs are logged to server.log so you can use them directly without email.

FAQ

Group Factor supports two types:

SMS 2FA — codes sent to a phone number via text. You configure the service to text your team's dedicated Twilio number.
TOTP (authenticator app codes) — the 6-digit rotating codes used by apps like Google Authenticator. You add the base32 secret key to Group Factor and it generates the same codes.

It does not support hardware keys (YubiKey), push notifications (Duo), or email-based codes.

GitHub, AWS, and most SaaS tools — yes, both SMS and TOTP work well.

Google accounts — Google typically rejects VoIP numbers (like Twilio) for SMS 2FA. Use TOTP instead: go to your Google account security settings, set up an authenticator app, grab the base32 key, and add it to Group Factor.

Banks and financial services — most support SMS 2FA but some verify the number is a mobile carrier. Results vary — try it and see.

It depends on the service. Most services only accept a 2FA code once — the first person to enter it uses it up. Group Factor shows the code to everyone, but only one person will be able to use it for login. Coordinate with your team to decide who is logging in.

TOTP codes are different — the service typically accepts the same code for the full 30-second window from multiple logins, so concurrent use is more practical.

Group Factor is designed for shared accounts where a team already has access to the underlying credentials. Sharing a 2FA code between authorised team members is no less secure than one person having sole access.

Codes are only visible to authenticated users who are members of the relevant team. Codes expire from the feed after 10 minutes. TOTP secrets are stored server-side and never sent to the browser — only the generated code is.

We do not recommend using Group Factor to share personal account codes with people who don't already have access to the account.

$5/team/month, billed through Stripe. Your subscription quantity adjusts automatically as you create or delete teams.

There's a 7-day free trial — a card is required upfront but you won't be charged until the trial ends.

There are no per-user charges, no message limits, and no charges for SMS forwarding beyond your normal carrier rates.

Note: Twilio charges separately for phone number rental (~$1/month/number) and SMS messages. These are billed directly to your Twilio account, not through Group Factor.

Deleting a team removes all members, releases the Twilio phone number back to Twilio (so you stop being charged for it), and removes any TOTP secrets. This cannot be undone.

Your Stripe subscription quantity decreases automatically, so you'll be charged less from the next billing cycle.

The first user to register on your Group Factor instance becomes the super admin. The super admin controls billing, creates and deletes teams, provisions phone numbers, and adds or invites members. Regular members can only view their team's codes and manage their own profile settings.

SMS codes are kept in memory for 10 minutes, then automatically purged. The feed updates in real time — old cards disappear from everyone's screen simultaneously when they expire. Codes are not stored in a database.

TOTP codes are generated on demand and never stored — they're computed from the secret each time you load the page.