Multi-Factor Authentication (MFA)
Multi-Factor Authentication (MFA) lets users add an extra layer of security to their Sprocket login by requiring a one-time verification code in addition to their password. MFA is optional and user-controlled — also referred to as two-factor authentication or 2FA.
What you'll find in this article
What MFA is and who can use it
How to set up MFA on your account
How verification codes work after setup
What to do if you lose access to your verification method
Current limitations and situations where MFA may not work as expected
Who can enable MFA?
MFA is available to all users in the Sprocket system. Each user must opt in individually from their own profile — clubs cannot require MFA on behalf of their users at this time.
All roles can configure MFA, including Club Administrators, Coaches, Directors, Team Managers, Volunteer Coaches, and Players.
How do I set up MFA on my account?
MFA is configured from your personal profile settings. Availability: web browser only — MFA does not apply to mobile app login.
Log in to Sprocket
Go to Account > Profile
Scroll to the Multi-Factor Authentication section at the bottom of the page, below the Password field
Select your preferred verification method:
Email verification — a one-time code is sent to the email address on file
Authenticator app — connect an app such as Google Authenticator or Microsoft Authenticator to generate time-based codes Note: SMS verification is not available.
Complete setup by entering the one-time verification code sent to your chosen method
This verification step only happens once during setup. You will only need to repeat it if you disable MFA and re-enable it, or if you switch verification methods.
How does MFA work when I log in?
After MFA is enabled, you will be prompted to enter a one-time verification code after your password the next time you log in.
Your code is valid for 30 days per browser. During that window:
You can log in and out as many times as you want in the same browser without being asked for a code
If you log in using a different browser, you will be prompted for your code again, even within the 30-day window
Once 30 days have passed, you will be asked to enter a new verification code at your next login
What should I do if I can't access my verification method?
If you lose access to your email inbox or delete your authenticator app without disabling MFA first, you may be unable to complete login.
Contact your club administrator or Sprocket Support. An admin with access to Account Settings can disable MFA on your profile, which will allow you to log in without a code. Once logged in, you can set up MFA again with an updated email address or a new authenticator app.
Are there any situations where MFA may not work as expected?
Shared logins MFA is not compatible with shared credentials. If multiple people use the same login, they will not reliably receive verification codes. Each user should have their own individual account.
Password resets Resetting your password does not disable MFA. After a password reset, you will still be prompted for your verification code at login.
Email delivery delays One-time codes sent by email may occasionally be delayed. Check your spam or junk folder if a code does not arrive, wait a few minutes, and try again.
Advanced authentication policies IP restrictions, device management, and other advanced authentication controls are not available at this time.
FAQs
Can an admin turn on MFA for other users?
No. Each user must enable MFA from their own profile. Admins can only disable MFA on another user's account if that user has lost access to their verification method.
Which verification method is more secure?
Authenticator apps are generally considered stronger than email verification and are recommended for admins and users with access to financial data.
Does MFA apply to the mobile app?
No. MFA applies to web login only.
Can I disable MFA after enabling it? Yes. Go to Account > Profile and scroll to the Multi-Factor Authentication section to disable it.