# Setting up 2FA/MFA

On account profile you will find all available 2FA options in **Details** tab, under **Two-factor methods**.

<figure><img src="/files/pC4rP2eslpdfIerjitrT" alt=""><figcaption></figcaption></figure>

Choose which one you want to activate.

{% hint style="info" %}
Whatever the method you will choose to configure next, please be prepared to do backup of your **Recovery backup codes** - as those are generated during the initial/first setup.
{% endhint %}

### Passkeys

Click on action button in Passkeys row.

<figure><img src="/files/XbgzA46Chh1KbfaVMjcQ" alt=""><figcaption></figcaption></figure>

Enter the name for the Passkey you will register for easy identification.

{% hint style="info" %}
You can have multiple Passkeys for one account.
{% endhint %}

<figure><img src="/files/MAfHmON3BroIDKF5gGBq" alt=""><figcaption></figcaption></figure>

When you click **Submit** to create a passkey, your device’s operating system takes over to ensure your security data never leaves your hardware. Because of this, the setup process looks a bit different depending on the device you are using.

{% hint style="warning" %}
Stay in the Window: Do not close the system pop-up until it confirms the passkey is saved. Once finished, you will be automatically returned to the app.
{% endhint %}

#### Follow Your System Prompts

Once you click the button to create a passkey, a window from your device (e.g., Windows, macOS, Android, or iOS) will appear. Simply follow the instructions on that screen.

Depending on your device, you will usually be asked to:

* Scan your fingerprint (Touch ID or Android Fingerprint)
* Use facial recognition (Face ID or Windows Hello)
* Enter your device PIN or password
* Insert and tap a physical security key (like a YubiKey)

{% hint style="info" %}
If you use a password manager (like 1Password or Bitwarden), your browser may ask if you want to save the passkey there instead of on your device. Either option is secure.
{% endhint %}

If this was the first 2FA method for the account then the system will ask you to save recovery codes [#backing-up-recovery-codes](#backing-up-recovery-codes "mention").

### Email

Click on action button in **Email** row.

<figure><img src="/files/IRRvEQeFXNpXphdviWRN" alt="" width="462"><figcaption></figcaption></figure>

After opening the dialog, check the email linked with the account to get the code. Enter it and click **Submit**.

<figure><img src="/files/2aQ83t6GfbhY76ojqB6G" alt=""><figcaption></figcaption></figure>

That's it. If this was the first 2FA method for the account then the system will ask you to save recovery codes [#backing-up-recovery-codes](#backing-up-recovery-codes "mention").

### One time password

This method is based on time-based codes (TOTP), generated by an app.

Before you start to configure this step, you need to choose an app for generating your TOTP codes. Most popular are:

* [Google Authenticator for Android/iPhone/iPad](https://support.google.com/accounts/answer/1066447)
* [Bitwarden](https://bitwarden.com/help/authenticator-keys/) - which is a password manager which can help you to store/generate a secure password for your Defguard login but also setup TOTP

In this example, we will set up using Google Authenticator.

Click on action button on **Time-based One-Time Password** row.

<figure><img src="/files/cN8nZwBKk08pjGlK0OkD" alt=""><figcaption></figcaption></figure>

A set up screen will show up with a QR Code:

<figure><img src="/files/lTbs6PeFBniTO0H90dVI" alt="" width="369"><figcaption></figcaption></figure>

Now open *Authenticator* mobile app, and click: \_**Add a code → Scan a QR code and scan the QR Code with the app**.

After doing that, a new screen will show on the *Authenticator* app, that will generate codes for Defguard:

<figure><img src="/files/HNrt5AYucUrfhclrbtHX" alt="" width="188"><figcaption></figcaption></figure>

**Enter the code you see on the mobile app**, to confirm, that the process has been done correctly (Defguard will now validate the code).

After the code has been validated, either:

* you are all set, the method is enabled, and you will be logged out to log in again using MFA
* or you [will need to create a backup of your recovery codes](#backing-up-recovery-codes) - and after that you will be logged out as well.

### Backing up recovery codes

If you are configuring the 2FA/MFA for the first time with any selected method, at the end of the process you will be asked to create a backup of your recovery codes:

<figure><img src="/files/ED1tF5rK5uQCLkkT6ilK" alt=""><figcaption></figcaption></figure>

{% hint style="danger" %}
Please backup those codes in a safe place, if you will not be able to login with your 2FA method (eg. you lost your phone or YubiKey hardware key) - the only method to login will be to use one of the **recovery codes.**
{% endhint %}


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.defguard.net/using-defguard-for-end-users/setting-up-2fa-mfa.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.