Skip to content
English
  • There are no suggestions because the search field is empty.

We're removing the optional 2FA step from Empath

We're retiring the optional two-factor authentication feature in Empath, the one that asked you to add an authenticator-app code on top of your normal login. If you never turned it on, nothing about your experience changes. If you did, that extra step will simply go away. Either way, your account security stays exactly as strong as it is today, and signing in gets noticeably simpler.

We're retiring the optional two-factor authentication feature in Empath, the one that asked you to add an authenticator-app code on top of your normal login. If you never turned it on, nothing about your experience changes. If you did, that extra step will simply go away. Either way, your account security stays exactly as strong as it is today, and signing in gets noticeably simpler.

Because anything with "2FA" in the name can sound alarming when it's removed, we want to walk through this carefully and in plain language. The short version: the protection that actually keeps your account safe was never the 2FA step. It lives somewhere stronger, and it isn't going anywhere.

A quick refresher on how Empath login works

Empath has always been passwordless. There has never been an Empath username and password for you to create, remember, or protect. Instead, you sign in using your existing work identity through your organization's identity provider, along with passwordless options like a one-time login code or a magic link sent to your email.

Your identity provider is the system your company already uses to manage who you are and what you can access, for example Microsoft 365 (Entra) or Google Workspace. When you log in to Empath, that provider is the thing vouching for you.

Where your security actually comes from

This is the part worth slowing down on, because it's the heart of why removing the TOTP step doesn't weaken anything.

Your real protection comes from your identity provider, not from Empath. When you sign in, your provider applies all of its own defenses before it ever hands you off to us: the multi-factor authentication your IT team requires, conditional access rules, device checks, and risk-based prompts. Those protections are set centrally by your own administrators and apply consistently across every app your organization uses, with Empath being just one of them.

That includes the passwordless options. A one-time code or magic link is delivered to your work inbox, and that inbox is itself protected by your identity provider. To receive and use a login code, you first have to be signed in to your provider, which means you've already cleared its multi-factor and access checks. So even the "simple" login paths sit behind your provider's full set of protections.

In other words, the strong, trusted boundary is your identity provider. Everything routes through it.

Where the optional 2FA step fit in (and why it didn't help much)

On top of all of that, Empath used to let individual users add an authenticator-app code as an extra step. The intention was good, but in practice it was a second factor stacked on top of accounts that were already protected by multi-factor authentication at the identity provider. It duplicated protection you already had, rather than adding a new layer underneath it.

What it did reliably add was confusion:

  • Two prompts that felt redundant. Many users would get their one-time login code, enter it, and then immediately be asked for a separate authenticator code. Having to clear what looked like two different security checks back-to-back left people unsure whether something was wrong.
  • Confusion about why it was even there. Users who had switched it on often didn't remember doing so, and weren't sure why Empath was suddenly asking for an authenticator app when their provider already handled their security.
  • Avoidable lockouts. People who lost, reset, or replaced the phone holding their authenticator app got locked out of Empath, even though their actual identity and access were working perfectly fine everywhere else.
  • Support overhead. Setting up and recovering TOTP generated a steady stream of support tickets for a feature that wasn't meaningfully improving anyone's security.

Removing it clears all of that up without giving anything away.

This lines up with security best practice

Retiring a per-app, per-user authenticator toggle in favor of centralized, identity-provider-enforced MFA isn't us cutting a corner. It's the direction recognized security guidance points to.

The CIS Controls (Control 6, Access Control Management) treat enforcing MFA through a directory service or SSO provider as a satisfactory way to meet the multi-factor requirement for applications, and they specifically recommend centralizing access control through that identity provider so protection is applied consistently rather than reinvented app by app. That's precisely the model Empath relies on: your provider enforces MFA and access policy centrally, and Empath honors it. A separate, optional factor bolted onto our login ran against that grain.

What happens to your TOTP setup

If you previously enrolled in TOTP 2FA, you don't need to do anything. The setup will be removed automatically. The next time you sign in, you'll simply use your normal passwordless method, with no authenticator-app prompt.

What's not changing

Your data is safe. Training content, custom courses, assignments, and historical progress are completely unaffected. Your underlying sign-in methods, and the multi-factor protection your identity provider enforces, stay exactly as they are.

Security FAQ

Is Empath less secure now?

No. The TOTP step duplicated protection that already exists at your identity provider, which is where your real multi-factor security lives. That protection is unchanged. We've only removed a redundant second prompt.

So there's no MFA anymore?

There is. Multi-factor authentication is enforced by your identity provider (such as Microsoft 365 or Google Workspace) on every sign-in. It's handled centrally by your IT team rather than by a separate Empath prompt, which gives you more consistent control, not less.

If a login code just goes to my email, isn't that weak?

Not in this setup. Your work inbox is itself protected by your identity provider, so receiving and using a login code means you've already passed your provider's multi-factor and access checks. The code isn't the security boundary; your identity provider is.

I had TOTP enabled. Do I need to do anything?

No. It's removed automatically. Just sign in with your usual passwordless method.

Can my organization enforce its own security rules?

Yes, and the right place to do it is through your identity provider rather than a per-user toggle inside Empath. If you want to force sign-in through your identity provider, and have additional conditional access rules, such as device checks, or location restrictions, applied to Empath, enable SSO. With SSO, Empath authenticates through your identity provider, so your provider's security policies are enforced on every Empath sign-in. SSO is included at no extra cost, and our team is glad to help you set it up.

Thanks for trusting us with your platform.

The Empath Team