What it Does
- Secures your account by requiring the code once per 30 days (per browser)
- Allows for recovery using offline recovery codes and/or SMS recovery code
What it Doesn't Do
- Saves your passwords or other credentials
You can first opt-in yourself by visiting the "Profile/Password" page.
Then scroll down and enable it
You will be in a wizard, and it won't be turned on unless you successfully enter one code
Now open the Google Authenticator (or similar/compatible app) from your smart phone and scan the QR code to add the account to your smart phone
Great! Now it's enabled. Now you should download some one-time-use recovery codes and put them somewhere very safe. You cannot access your account with these if you lose access to that Authenticator Profile you just added
Now you should really also setup recovery SMS
Now you are really done setting yourself up. If you want, you can force everyone in your company to do this. WARNING: Once you enable it, they are immediately forced into this setup wizard so time it when everyone is ready to set it up or you might lock people out.
You can see which users have enabled it here too
If someone gets locked out, an admin on your account can "unlock" a user account, but without recovery codes or recovery SMS a user account cannot be unlocked.