defguard
  • Introduction
  • User documentation (help)
    • Configuring VPN
      • Defguard Desktop Client
        • Update instance
      • Other WireGuard® Clients
        • Configuring a device for new VPN Location manually
    • Password change / Reset
    • Enrollment & Onboarding
      • With internal Defguard SSO
      • With external SSO (Google/Microsoft/Custom)
    • Setting up 2FA/MFA
    • Desktop Client
    • CLI Client
  • Admin & features
    • Deploying your instance
      • One-line install script
      • Standalone package based installation
      • Docker images and tags
      • Docker Compose
      • Kubernetes
      • Upgrading
      • Gateway
        • Running gateway on MikroTik routers
      • Securing gRPC communication
      • OpenID RSA key
      • Configuration
      • Pre-production and development releases
      • High Availability and Failover
      • Health check
    • Features & configuration
      • Zero-Trust VPN with 2FA/MFA
        • Create/manage VPN Location
        • Network overview
        • Executing custom gateway commands
        • Multi-Factor Authentication (MFA/2FA)
          • MFA Architecture
        • Remote desktop client configuration
        • DNS and domains
      • Remote user enrollment
        • User onboarding after enrollment
      • SSO (OpenID Connect)
        • Portainer
        • Grafana setup
        • Proxmox
        • Matrix / Synapse
        • Django
        • MinIO
        • Vault
      • SMTP for email notifications
      • YubiKey Provisioning
      • Webhooks
      • Forward auth
      • SSH Authentication
      • Network devices
      • Gateway notifications
      • New version notifications
  • Troubleshooting Guide
    • Sending support information
    • Client Windows installer exit codes
    • Client "All traffic" connection issues
    • WebAuthn security keys
  • Enterprise Features
    • License
    • Enteprise features
      • Automatic (real time) desktop client configuration & sync
      • External OpenID providers
        • Google
        • Microsoft
        • Zitadel
        • Keycloak
        • JumpCloud
        • Okta
        • Custom
      • External OIDC secure enrollment
      • VPN & Client behavior customization
      • REST API
      • Access Control List
        • ACL Aliases
      • LDAP and Active Directory integration
        • Configuration
        • Settings table
        • Two-way LDAP and Active Directory synchronization
  • Tutorials
    • Step by step setting up a VPN server
      • Adding additional VPN locations
  • In depth
    • Roadmap
    • Architecture
      • How do VPN statistics work
      • Security concepts
  • For Developers
    • Contributing
    • Environment setup
    • Translations (core/web)
      • Switching language
      • Adding translations
  • Translations (client)
    • Adding translations
  • Contact us
    • Community & Support
Powered by GitBook
On this page
  • One time password
  • Backing up recovery codes

Was this helpful?

Edit on GitHub
  1. User documentation (help)

Setting up 2FA/MFA

PreviousWith external SSO (Google/Microsoft/Custom)NextDesktop Client

Last updated 4 months ago

Was this helpful?

Go to My Profile and click Edit:

Then scroll down to the section Two-factor methods and choose which one you want to activate.

Whatever the method you will choose to configure next, please be prepared to do backup of your Recovery backup codes - as those are generated during the initial/first setup.

One time password

This method is based on time-based codes (TOTP), generated by an app.

Before you start to configure this step, you need to choose an app for generating your TOTP codes. Most popular are:

In this example, we will set up using Google Authenticator.

Click on the gear icon for One time password and Enable:

A set up screen will show up with a QR Code:

Now open Authenticator mobile app, and click: Add a code -> Scan a QR code and scan the QR Code with the app.

After doing that, a new screen will show on the Authenticator app, that will generate codes for Defguard:

Enter the code you see on the mobile app, to confirm, that the process has been done correctly (defguard will now validate the code).

After the code has been validated, either:

  • you are all set, the method is enabled and you will be logged out to log in again using MFA

Backing up recovery codes

If you are configuring the 2FA/MFA for the first time with any selected method, at the end of the process you will be asked to backup your recovery codes:

Please backup those codes in a safe place, if you will not be able to login with your 2FA method (eg. you lost your phone or YubiKey hardware key) - the only method to login will be to use one of the recovery codes.

- which is a password manager which can help you to store/generate a secure password for your defguard login but also setup TOTP

or you - and after that you will be logged out as well.

Google Authenticator for Android/iPhone/iPad
Bitwarden
will need to backup your recovery codes