OpenReview has implemented Multi-Factor Authentication (MFA), giving users additional tools to protect their accounts beyond a password alone. This feature is now available to all users and supports three authentication methods, allowing flexibility based on individual preferences and security needs.

Supported MFA Methods:

• Authenticator App (TOTP) — Use any standard authenticator app (such as Google Authenticator, Authy, or 1Password) to generate time-based one-time codes at login.
• Email OTP — Receive a one-time verification code sent to the email address used to sign in.
• Passkey (WebAuthn) — Use biometric authentication (fingerprint, Face ID) or a hardware security key for a passwordless second factor.

How to Enable MFA:

1. Navigate to Password & Security, or click the dropdown in the upper right corner where your name is displayed and select Password & Security.
2. Under the Multi-Factor Authentication section, choose one or more methods to configure:
   • For Authenticator App, click Set up, scan the QR code with your authenticator app, and enter the 6-digit verification code.
   • For Email, click Enable — one-time codes will be sent to your sign-in email when prompted.
   • For Passkey, click Set up, name your passkey (e.g., "Laptop Touch ID"), and follow the browser prompt to register your biometric or security key.
3. When your first method is configured, you will receive a set of recovery codes. Save these in a secure place — they are your backup if you lose access to your primary method.
4. If you configure multiple methods, you can mark one as your preferred method using the "Set as Preferred" button.

Python Client and CLI Support:

MFA is also fully supported in the OpenReview Python client. Both the v1 (Client) and v2 (OpenReviewClient) clients handle MFA seamlessly during login. In interactive environments — including terminals and Jupyter notebooks — users are prompted to choose their MFA method and enter a verification code. For passkey authentication, the client automatically opens a browser to complete the WebAuthn ceremony. In non-interactive environments such as CI pipelines or automated scripts, the client raises an MfaRequiredException with the pending token and available methods, allowing callers to handle MFA programmatically. Accounts without MFA enabled are unaffected, ensuring full backward compatibility.

Additional security features include:

• Trusted Devices — Mark frequently used devices as trusted to reduce repeated MFA prompts.
• Recovery Codes — Generate one-time-use backup codes during MFA setup, ensuring account access even if the primary MFA method is unavailable. Codes can be downloaded or copied to your clipboard and regenerated at any time from the Password & Security page.

The implementation also integrates with existing platform operations. When two profiles are merged, the secondary profile's MFA configuration is automatically cleaned up while preserving the primary profile's settings. Similarly, when a profile is renamed, the MFA configuration is updated to stay associated with the correct account.

This release is part of OpenReview's ongoing commitment to strengthening platform security and protecting the integrity of the peer review process. We encourage all users to enable MFA to help safeguard their accounts. If you encounter any issues or bugs, please report them through our contact page and we will be happy to address them.