Currently, users authenticate to the Web UI using only a username and password. While this provides basic security, a lot of customers have been wanting 2FA since password-based authentication alone can be vulnerable to phishing, credential reuse, or brute-force attacks.
Introducing 2FA adds an additional layer of protection by requiring a secondary verification step; such as a time-based one-time password (TOTP) via an authenticator app, SMS, or email after entering valid credentials.
TOTP (Recommended):
Support standard authenticator apps like Google Authenticator, Authy, or Microsoft Authenticator.
Users scan a QR code during setup and use rotating 6-digit codes to log in.
Backup/Recovery Options:
Allow users to generate recovery codes in case of device loss.
Optional fallback via email verification.
Administrative Controls:
Admins can enforce 2FA organization-wide or make it optional per user.
Audit logs should capture 2FA enable/disable events.
User Experience Considerations:
Ability to “remember this device” for a configurable number of days.
Clear setup instructions and recovery process.
Shane Stamper
