> For the complete documentation index, see [llms.txt](https://docs.vergeos-demo.com/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://docs.vergeos-demo.com/run-the-platform/authentication/multifactor-auth.md). # Two-Factor Authentication (MFA) Two-factor authentication (also known as Multi-factor Authentication or MFA) is a strongly recommended option that provides a significant, additional layer of security to user logins. When two-factor authentication is enabled, login requires authorization via the user's email address or a TOTP authenticator program in addition to the username and password. ## Two-factor Authentication Using a TOTP Application The User utilizes a TOTP authenticator application, commonly installed on their mobile device, such as Google Authenticator or Microsoft Authenticator. The user will configure VergeIO as an account within their authentication application; this can be done easily by scanning the provided QR code from within the VergeOS user interface. Subsequently, the authenticator application will continuously generate a new code to be used for the user to input for login. Each code generated by the TOTP application is typically only valid for 30 seconds or less. ## Two-Factor Authentication Using Email The first time a user initiates login from a new device, a security code is emailed to the user's email address. This code then must be entered to complete the login process. Optionally, the user can select to store the security code on the local device, for automatic retrieval on subsequent login actions from the same local device. (This function is intended for personal devices, such as a user's home computer, personal laptop, cellphone, etc.) {% hint style="info" %} **TOTP Method Preferred** * TOTP provides a much higher degree of security as it does not rely on an email account, which can be compromised. TOTP is generated on a separate device, like a cell phone, making it harder for attackers to intercept. * TOTP-based MFA can work without an internet connection once the setup is complete, whereas email requires internet access to receive verification codes. * Email-based (rather than TOTP-based) MFA should typically only be considered for low-access, non-critical accounts. {% endhint %} ## System Settings for Two-Factor Authentication To access these settings, navigate to **System > Settings > Advanced Settings**. 1. **Two-factor authentication:** * ***Default Disabled (off)*** - new users are created with two-factor authentication disabled; optionally it can be enabled per user. * ***Default Enabled*** - new users are created with two-factor authentication option enabled; option can be disabled per user. * ***Required*** - all users automatically set to use two-factor authentication; option cannot be disabled for any user. 2. **Two-factor authentication expiration time for temporary codes (seconds):**\ **default = 300 seconds (5 min)** - This setting determines the length of time a security code is valid. For example, using the default setting of 300 seconds, the code must be entered within 5 minutes (300 seconds) of the time it was issued. 3. **Two-factor authentication expiration time for authenticated user devices (0 for never expire):**\ **default = 7884000 seconds (roughly 91 days)** - This setting determines the amount of time a security code is stored on a user's local device. For example: On a system in which the setting is changed to 864000; a user logs into a laptop, uses the security code received via email and selects the option labeled "This is a private computer"; the security code is stored and automatically applied for the user on this device for 864000 seconds (10 days) so the user will not need to retrieve the security code from email and enter it in again during all the login attempts for the next 10 days. If the system setting is set to 0, there is no expiration on locally stored security codes. ### Enable Two-Factor Authentication for a User {% hint style="success" %} If the system setting: *Two-factor authentication* is set to *Required*, all users automatically have two-factor authentication enabled and the option does not appear in the user edit form. {% endhint %} 1. From the top menu, navigate to **System** > **Users**. 2. Click to **Select the desired User**. 3. Click **Edit** on the left menu. 4. Select the checkbox option **Two Factor Authentication**. 5. The **Email Address** field becomes required when two-factor authentication is enabled. Verify that a valid, accessible email address is entered for the user as security codes (necessary for login) will be sent to the email address specified. 6. Click **Submit** to save the change. --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.vergeos-demo.com/run-the-platform/authentication/multifactor-auth.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.