Multi-Factor Authentication

You have two options for activating MFA with Firezone:

1. Enable a TOTP-based second factor for the local email/password authentication method.
2. Configure Firezone to SSO via one of our supported identity providers and enable MFA through the identity provider.

MFA with Firezone

Firezone currently supports using a time-based one time password (TOTP) as an additional factor. This is supported with the local authentication method only; for SSO authentication we recommend enabling your provider's MFA functionality as described below.

Admins can visit /settings/account/register_mfa in the admin portal to generate a QR code to be scanned by your authenticator app.

Unprivileged users can visit /user_account/register_mfa after logging into the user portal.

MFA with your identity provider

Most identity providers support additional authentication factors in addition to email/password. Consult your provider's documentation to enforce an additional factor. We have included links to a few common providers below:

• Okta
• Azure AD
• Google
• Onelogin