Skip Navigation
Show nav
Dev Center
  • Get Started
  • Documentation
  • Changelog
  • Search
  • Get Started
    • Node.js
    • Ruby on Rails
    • Ruby
    • Python
    • Java
    • PHP
    • Go
    • Scala
    • Clojure
    • .NET
  • Documentation
  • Changelog
  • More
    Additional Resources
    • Home
    • Elements
    • Products
    • Pricing
    • Careers
    • Help
    • Status
    • Events
    • Podcasts
    • Compliance Center
    Heroku Blog

    Heroku Blog

    Find out what's new with Heroku on our blog.

    Visit Blog
  • Log inorSign up
Hide categories

Categories

  • Heroku Architecture
    • Compute (Dynos)
      • Dyno Management
      • Dyno Concepts
      • Dyno Behavior
      • Dyno Reference
      • Dyno Troubleshooting
    • Stacks (operating system images)
    • Networking & DNS
    • Platform Policies
    • Platform Principles
  • Developer Tools
    • Command Line
    • Heroku VS Code Extension
  • Deployment
    • Deploying with Git
    • Deploying with Docker
    • Deployment Integrations
  • Continuous Delivery & Integration (Heroku Flow)
    • Continuous Integration
  • Language Support
    • Node.js
      • Working with Node.js
      • Node.js Behavior in Heroku
      • Troubleshooting Node.js Apps
    • Ruby
      • Rails Support
      • Working with Bundler
      • Working with Ruby
      • Ruby Behavior in Heroku
      • Troubleshooting Ruby Apps
    • Python
      • Working with Python
      • Background Jobs in Python
      • Python Behavior in Heroku
      • Working with Django
    • Java
      • Java Behavior in Heroku
      • Working with Java
      • Working with Maven
      • Working with Spring Boot
      • Troubleshooting Java Apps
    • PHP
      • PHP Behavior in Heroku
      • Working with PHP
    • Go
      • Go Dependency Management
    • Scala
    • Clojure
    • .NET
      • Working with .NET
  • Databases & Data Management
    • Heroku Postgres
      • Postgres Basics
      • Postgres Getting Started
      • Postgres Performance
      • Postgres Data Transfer & Preservation
      • Postgres Availability
      • Postgres Special Topics
      • Migrating to Heroku Postgres
    • Heroku Key-Value Store
    • Apache Kafka on Heroku
    • Other Data Stores
  • AI
    • Model Context Protocol
    • Vector Database
    • Heroku Inference
      • Inference Essentials
      • AI Models
      • Inference API
      • Quick Start Guides
    • Working with AI
  • Monitoring & Metrics
    • Logging
  • App Performance
  • Add-ons
    • All Add-ons
  • Collaboration
  • Security
    • App Security
    • Identities & Authentication
      • Single Sign-on (SSO)
    • Private Spaces
      • Infrastructure Networking
    • Compliance
  • Heroku Enterprise
    • Enterprise Accounts
    • Enterprise Teams
    • Heroku Connect (Salesforce sync)
      • Heroku Connect Administration
      • Heroku Connect Reference
      • Heroku Connect Troubleshooting
  • Patterns & Best Practices
  • Extending Heroku
    • Platform API
    • App Webhooks
    • Heroku Labs
    • Building Add-ons
      • Add-on Development Tasks
      • Add-on APIs
      • Add-on Guidelines & Requirements
    • Building CLI Plugins
    • Developing Buildpacks
    • Dev Center
  • Accounts & Billing
  • Troubleshooting & Support
  • Integrating with Salesforce
  • Security
  • Identities & Authentication
  • Two-Factor Authentication (deprecated)

Two-Factor Authentication (deprecated)

English — 日本語に切り替える

Last updated April 25, 2024

Table of Contents

  • Enabling Two-Factor Authentication
  • Setting Up Recovery Options
  • Using Two-Factor Authentication on the Command-Line Interface
  • Using Recovery Codes
  • Recovering From Lock-Out
  • Changing Your Mobile Device
  • Disabling Two-Factor Authentication

This feature is deprecated and replaced by multi-factor authentication.

 

If you previously enabled two-factor authentication (2FA), you’re automatically migrated to use multi-factor authentication. Your authenticator app and recovery codes continue to work as MFA verification methods. Any phone number configured as 2FA backup can be used as a verification method for a limited time.

Two-factor authentication adds an extra layer of security to your Heroku account by asking for a verification code after you sign in with your email address and password.

An application on your smartphone generates the verification code. To gain access to your account a potential attacker would need your email address, your password, and your phone.

We recommend that all users enable two-factor authentication for their accounts.

Enabling Two-Factor Authentication

Enabling two-factor authentication logs you out of all but the current session and regenerates your API key. SSH-based Git push isn’t affected.

You can enable two-factor authentication on your Dashboard account page by clicking the Enable two-factor authentication button and following the on-screen instructions.

Enable two-factor authentication

Download an authenticator app for your smartphone. We recommend Google Authenticator or Authy, but other alternatives also work.

Download an app

Scan the barcode shown on the Dashboard page with the downloaded authentication app.

Scan the code

To validate your device, enter the six-digit code displayed on your smartphone. Two-factor authentication is now enabled for your account.

Verify your code

Set up recovery options

Setting Up Recovery Options

After you configure your smartphone authenticator app, Heroku prompts you to add and validate a phone number. An SMS can be sent to the phone number during login to recover access to your account in case you lose access to your authenticator app and you don’t have access to your recovery codes. SMS backup recovery by phone is strongly recommended to avoid losing access to your account.

Set up phone recovery

Heroku validates your phone number by sending an SMS with a setup code. Sometimes Heroku can’t deliver messages to your phone number. In that case, skip the SMS setup, and be extra diligent when downloading and storing the recovery codes in a safe and accessible place. If you encounter problems setting up SMS recovery, email 2fa-feedback@heroku.com.

Do not use Google Voice or other VoIP numbers for two-factor SMS recovery. If your online identity is compromised, such as your email account, it’s possible that attackers can gain access to your VoIP phone account, can receive recovery messages, and get access to your Heroku account. Also check that your phone account subscription is secure so that attackers can’t spuriously access SMS messages through an online interface or similar.

Heroku prompts you to download recovery codes. Recovery codes are single-use and can be used as an alternative to 2FA codes delivered via your authenticator app or with SMS.

After enabling two-factor authentication, download and print your recovery codes, and then store them in a secure place. If you lose your phone, you can use them to authenticate. For security reasons, sometimes Heroku Support can’t restore access to accounts with two-factor authentication enabled if you lose your phone, you can’t recover with SMS, and you don’t have access to your recovery codes.

Using Two-Factor Authentication on the Command-Line Interface

After your account has two-factor authentication enabled, you’re asked to reauthenticate the next time that you use the command-line interface.

Make sure that you have the latest CLI version with two-factor authentication support by running heroku update.

You can authenticate with your email address and password followed by the authentication code displayed on your phone.

$ heroku login
Enter your Heroku credentials.
Email: email@example.com
Password: password
Two-factor code: 123456
...

Using Recovery Codes

If you lose access to your two-factor device, for example, you lose your phone or it’s wiped, you can still log in to your account. When prompted for the second factor after entering your account password, choose Enter a Recovery Code. You can then enter one of your recovery codes instead of a token from your two-factor device. Note that each recovery code can only be used once.

After you log in to your account, reconfigure two-factor authentication on the account page.

Recovering From Lock-Out

If you’re locked out due to a two-factor issue, DO NOT reset your password.

To prevent lock-out, always download recovery codes, store them in a safe place, and make sure that your SMS number is up to date. To get recovery codes, from your account page, click View Recovery Codes.

If for some reason you lose access to your two-factor device and your recovery codes, you have three additional ways you can regain access.

  1. If you’re logged into Dashboard in a browser, you can turn off two-factor authentication for your account on the Settings page. You’re asked for your password.
  2. If you have a valid CLI session on your computer, you can use the CLI to turn off two-factor authentication with the command heroku 2fa:disable. You’re asked for your password.
  3. If you set an SMS number, you can obtain a two-factor code via SMS. Choose Get a code via SMS when logging in.

If none of these methods work for you, you’re not guaranteed to regain access to your account. For help, email account-lockout@heroku.com. We can only disable two-factor authentication if we can verify your ownership of the account, which isn’t always possible.

Changing Your Mobile Device

If you change to a new mobile device, you must disable two-factor authentication and then re-enable it using the new device. If your old device is still functional, use the authenticator app on the old device to log in. It works even if you’re not connected to the network. If your old device no longer works, use your recovery codes or the other recovery methods mentioned above.

Note that even if you restore a backup of your old mobile device on a new device, it’s possible that you still must reconfigure two-factor authentication. For security reasons, the two-factor configuration isn’t backed up by the Google authenticator app. Other applications can work differently.

If you use an iPhone, enable encryption on your iPhone backup, and many passwords are remembered after a restore. Some users have reported success with restoring Google authenticator app this way.

Disabling Two-Factor Authentication

You can disable two-factor authentication from the Dashboard account page. For added security, you’re asked to supply your password. You can also disable it from the CLI with this command and your password.

$ heroku 2fa:disable

Keep reading

  • Identities & Authentication

Feedback

Log in to submit feedback.

Information & Support

  • Getting Started
  • Documentation
  • Changelog
  • Compliance Center
  • Training & Education
  • Blog
  • Support Channels
  • Status

Language Reference

  • Node.js
  • Ruby
  • Java
  • PHP
  • Python
  • Go
  • Scala
  • Clojure
  • .NET

Other Resources

  • Careers
  • Elements
  • Products
  • Pricing
  • RSS
    • Dev Center Articles
    • Dev Center Changelog
    • Heroku Blog
    • Heroku News Blog
    • Heroku Engineering Blog
  • Twitter
    • Dev Center Articles
    • Dev Center Changelog
    • Heroku
    • Heroku Status
  • Github
  • LinkedIn
  • © 2025 Salesforce, Inc. All rights reserved. Various trademarks held by their respective owners. Salesforce Tower, 415 Mission Street, 3rd Floor, San Francisco, CA 94105, United States
  • heroku.com
  • Legal
  • Terms of Service
  • Privacy Information
  • Responsible Disclosure
  • Trust
  • Contact
  • Cookie Preferences
  • Your Privacy Choices