Two-Factor Authentication

(Versions 7+)

Two Factor Authentication is an extra layer of security in addition to the standard username/password. Other similar topics which are included here are: Multi-Factor Authentication (MFA) or Two Step Verification (2SV).

Supported Providers

Here is a list of Supported Providers with links to any Configuration guides. Each type of Two Factor Provider has special configuration requirements:

Authenticator Apps

These apps provide one-time 6 digit verification codes and can be used to secure your account, for example, Google 2-Step Verification:

Notes: All of these alternatives, and any app which uses the industry standard Time-based One-Time Password algorithm (TOTP), are supported in the application with the Google Authenticator Provider workflow.


  • Fingerprint Sensor (android, iOS, Windows mobile)

Client Certificates

Network Resource

Note: All of these use the RADIUS Provider workflow, with PAP, CHAP, or MS-CHAPv2 protocols.

Physical Devices

Notes: These use the Yubico OTP protocol.

Enabling Two Factor Authentication

Two Factor Authentication (2FA) can be enabled for your users by:

  • Opening an existing Policy (only displayed after the Policy is created),
  • Configuring a 2FA Provider, and
  • Enrolling the Users
Bulk User Enrollment

Administrators can setup all users with self-enrollment into Two-Factor Authentication:

  • Settings on the 2FA Provider:
    • User can Generate Code - users can generate their own secret
    • Users can Self-Enroll - users can enroll on their own, after their first login
Enroll a Single User

Administrators can enroll a single user with Two-Factor Authentication:

  • Set from the User's Details page

Reset Two Factor Secret

Administrators can reset a user's secret from the User's Details -> Configure screen, by clicking either:

  • A) Reset and provide user with the new secret, or
  • B) Disable the previous 2FA configuration allowing user to re-enroll next login
    • Depends on 2FA Provider options: User Can Generate Code, and User Can Self-Enroll

Two Factor Policy Configuration

2FA configuration details are found on the Policy, in the Two Factor Policy section.

  • Required: By setting the Two Factor as Required, Two Factor Authentication will be mandatory for all policy users. If the user has no Providers configured then they will not be able to log in.
    • It is recommended that Required is only used for policies where two factor configuration is entirely managed by the administrators.
    • Alternatively it may be turned on after users have been given sufficient notice and opportunity to configure and enable their two factor authentication.
  • Enabled: Configuring at least one Two Factor Provider will allow users with the policy to use two factor authentication during sign in.
    • If multiple providers are enabled then users may have an option regarding which two factor provider to use (depending on the user's configuration).
    • Each user must have at least one two factor provider configured and enabled for the two factor authentication step to appear for them.
  • Disabled: When none of the Two Factor configurations are enabled, the 2FA step is removed from the sign in process. Even if users previously had Two Factor configured and enabled for themselves.
Browser Remember Flag
  • Enabling this will allow users to set a flag that bypasses the Two Factor requirement for their current browser.
    • Users will see a Remember this browser? check box, on first use of Two Factor Authentication.
    • Setting this value will disable the 2FA requirement, for this user using this same browser
    • 2FA authentication (if enabled) will still be required if they sign in from a new browser
  • Disabling this prevents this option from being available to users, forcing 2FA on every sign in.

Users should only check this option when signing in from secure browsers.

Two Factor Providers

Note: The list of Two Factor Providers are displayed once the policy is created.

The following options are common to all two factor provider configurations.


Each available Two Factor Authentication provider can be enabled or disabled on a per-policy basis. Some Two Factor Providers are easy for the user to configure and enable, making them good choices to enable for optional protection. Other Two Factor Providers must be configured and managed by an administrator. See the descriptions of each Provider to help you select which ones are right for your security needs.

User Can Disable Provider

In a policy where 2FA is optional, this option should be enabled. This will allow the user to enable or disable their preferred Two Factor Provider(s) on their account management page. For policies requiring mandatory (and often administration configured) 2FA, unchecking this option will prevent the user from disabling the Two Factor Provider.

Google Authenticator

Generates a new security code every 30 seconds. Uses the Google Authenticator app available for Apple and Android.

  • Once enabled in the policy, Google Authenticator can be enabled by the user and will display the QR code used to configure the Google Authenticator app.

See also: Setting Up Google Authenticator & User Enrollment

Service Name: This name appears in the Google Authenticator app when setting it up using the QR code provided on the user configuration page.

User Can Generate Code: Checking this option allows the user to reset the secret value if they choose. Unchecking this option will prevent the user from changing the secret themselves.

User Can Disable Provider: If this box is checked the user will be able to enable or disable two factor authentication on their account. If you wish to force users to use two factor authentication, leave this box unchecked.

User Can Self-Enroll in this Provider: If this box is checked and two factor authentication is required, users will be able to set up Google Authenticator on first sign in, if they have not already done so.


The standard YubiKey Two Factor Provider connects to a remote server, either the YubiCloud authentication service or another YubiKey Verification Server. By default, all YubiKeys are shipped ready to verify against the YubiCloud service.

User Can Configure Provider: Checking this option allows the user to configure the two factor provider with any valid YubiKey. A YubiKey One-Time Password (OTP) will need to be entered and verified by the configured verification server(s).

  • This option is useful in situations where YubiKey is enabled as an optional two factor authentication provider or when the administrator does not want to configure each user individually after providing YubiKeys.

User Can Disable Provider: If this box is checked the user will be able to enable or disable two factor authentication on their account. If you wish to force users to use two factor authentication, leave this box unchecked.

Client ID & API Key: This is for communication with the YubiKey Cloud authentication service. You may obtain a Client ID and API key via their website (

Server URLs

  • When hosting your own YubiKey verification servers, you must enter the URL(s) to use for verification. If no URLs are specified the verification will be done against the YubiKey Cloud service.

YubiKey Embedded Server

This specialized YubiKey Two Factor Authentication Provider allows connecting to a local database, without having to connect with an external verification service.

This Two Factor Provider requires significantly more administration and cannot be configured by users directly.

To use this provider you must customize the YubiKey(s) using the YubiKey personalization software ( with custom secret values. These values must then be entered into each user's configuration by an administrator.

You must login to post a comment.