Configuring 2FA for self-service users

By default, self-service users can enable 2FA individually. As a system administrator, however, you can enforce 2FA for all users within a specific domain or across all domains. When 2FA is enforced, users will be prompted to set up two-factor authentication on their next login to the self-service panel.

If a self-service user loses access to their second-factor device, you can reset their 2FA settings.

To make 2FA mandatory for a particular domain

Admin panel

  1. Open the Settings > Projects and users screen and click the required domain.
  2. Navigate to the Settings tab and click Two-factor authentication.
  3. Turn on the toggle Enforce two-factor authentication for all users.
  4. Click Save.

This will enforce 2FA for domain administrators and project members within the configured domain. On the next login, they will be prompted to configure 2FA for their account.

Command-line interface

Use the following command:

vinfra domain set --totp-mandatory <domain>
<domain>
Domain name

For example, to enforce 2FA for the domain mydomain, run:

# vinfra domain set --totp-mandatory mydomain

To make 2FA mandatory for all domains

Admin panel

  1. Open the Settings > System settings > Two-factor authentication screen.
  2. Turn on the toggle Enforce two-factor authentication for all domains.
  3. Click Save.

This will enforce 2FA for all self-service users across all domains. On the next login, they will be prompted to configure 2FA for their account.

Command-line interface

Run the following command:

# vinfra cluster settings totp set --mandatory

You can check the 2FA status in the vinfra cluster settings totp show output:

# vinfra cluster settings totp show
+-----------+-------+
| Field     | Value |
+-----------+-------+
| mandatory | True  |
+-----------+-------+

To make 2FA optional for a particular domain

Admin panel

  1. Open the Settings > Projects and users screen and click the required domain.
  2. Navigate to the Settings tab and click Two-factor authentication.
  3. Turn off the toggle Enforce two-factor authentication for all users.
  4. Click Save.

This will disable 2FA enforcement for domain administrators and project members within the configured domain.

Command-line interface

Use the following command:

vinfra domain set --totp-optional <domain>
<domain>
Domain name

For example, to remove 2FA enforcement for the domain mydomain, run:

# vinfra domain set --totp-optional mydomain

To make 2FA optional for all domains

Admin panel

  1. Open the Settings > System settings > Two-factor authentication screen.
  2. Turn off the toggle Enforce two-factor authentication for all domains.
  3. Click Save.

This will disable 2FA enforcement for all self-service users across all domains.

Command-line interface

Run the following command:

# vinfra cluster settings totp set --optional

You can check the 2FA status in the vinfra cluster settings totp show output:

# vinfra cluster settings totp show
+-----------+-------+
| Field     | Value |
+-----------+-------+
| mandatory | False |
+-----------+-------+

To reset 2FA for a user

Admin panel

  1. Open the Settings > Projects and users screen and click the required domain.
  2. On the Domain users screen, click the name of the required user.
  3. On the user right pane, click Reset in the Two-factor authentication line.
  4. In the confirmation window, click Reset.

The user will be logged out automatically and asked to set up 2FA for their account again.

Command-line interface

Use the following command:

vinfra domain user totp disable --user <user> --domain <domain>
--user <user>
User ID or name
<domain>
Domain ID or name

For example, to reset 2FA for the user myuser in the domain mydomain, run:

# vinfra domain user totp disable --user myuser --domain mydomain
Related Topics Link IconSee also