Skip to content

2FA & force 2FA

Optional per-user 2FA

Account (/auth/account) — profile, password, avatar, enable TOTP, save backup codes, optional trusted device (30 days, revocable), and push preferences.

Force 2FA for all

Where: SettingsSecurity policy.

Setting Effect
Force 2FA for all Users without TOTP go to /auth/force-2fa before the fleet UI. Password change-on-first-login still runs first if required.

Stored in PostgreSQL (appsetting) — travels with DB dumps and self-backup.

Template step-up

Viewing cleartext template secrets requires a separate TOTP unlock (step-up), even if you already completed login 2FA. See Template secrets.

Optional: Require 2FA for template deploy & secrets in Security policy.