Skip to main content

Two-Factor Authentication (2FA)

Two-Factor Authentication (2FA) adds an extra verification step to the login process, requiring both primary credentials and a time-based one-time password (TOTP) generated by an authenticator app.

This additional factor helps protect access even if a User's or Account's username and password are compromised. TOTP codes rotate every 30 seconds, limiting the usefulness of intercepted codes.

When 2FA is enabled, the User or Account is prompted to enroll at the next login. After enrollment, access to the UDMG Admin UI and the Web Transfer Client (WTC) requires the primary credentials (Standard or LDAP) plus a valid TOTP code.

info

2FA is supported only for Users and Accounts with Standard or LDAP authentication as their Login Method.

2FA Configuration

Two-Factor Authentication (2FA) for Users is configured at the User level (and therefore applies across the Domain).

To require 2FA for a User, follow these steps:

  1. From the Sidebar, click General > Users.
  2. Click the Username of the User you want to enable 2FA for. The User's Login Method must be Standard or LDAP.
  3. Click Edit.
  4. Enable the Require Two-Factor Authentication (TOTP) toggle.
  5. Click Update.
info

Only System Administrators or Domain Administrators can enable or disable 2FA.

2FA Enrollment

When 2FA is enabled, Users and Accounts must enroll in an external authenticator app at their next login and provide a TOTP code for every subsequent login.

The enrollment process uses an intuitive guided modal with three streamlined steps: Configure, Verify, and Activate. This one-time setup ensures secure access while maintaining a user-friendly experience.

Step 1. Configure

  1. From the modal, scan the QR code with your preferred authenticator app.
  2. If you're having trouble scanning the QR code, click the Can't Scan It? link.
  3. Manually enter the Secret Key, Issuer, and Account (Username) into your authenticator app.
  4. The authenticator app will display a new account entry for UDMG Admin UI.

Step 2. Verify

  1. Enter the 6-digit code from your authenticator app. You typically have 30 seconds to add the new code before a new code generates.
  2. Click Next.

Step 3. Activate

  1. You should see a "Setup Complete!" message. If not, click Back and enter a new code.
  2. Click Continue
  3. You'll be automatically redirected to the UDMG Admin UI or WTC landing page.

2FA Disabling

Disabling 2FA removes the TOTP requirement for future logins for that User or Account. It does not clear the existing 2FA enrollment (TOTP secret) stored in UDMG.

This means that if you later re-enable 2FA for the same User or Account, they do not need to enroll again and they can continue using the existing entry in their authenticator app.

info

To force re-enrollment (for example, if the User lost access to their authenticator app), use 2FA Reset instead of disabling 2FA.

To disable 2FA for a User, follow these steps:

  1. From the Sidebar, click General > Users.
  2. Click the Username of the User you want to disable 2FA for.
  3. Click Edit.
  4. Disable the Require Two-Factor Authentication (TOTP) toggle.
  5. Click Save.

2FA Reset

If a User or Account loses access to their authenticator app (for example, due to a lost or replaced device), an Admin must reset their 2FA enrollment. Resetting the 2FA clears the stored TOTP secret and enrollment status, allowing the User or Account to re-enroll at their next login.

To reset 2FA for a User, follow these steps:

  1. From the Sidebar, click General > Users.
  2. Click the Username of the User you want to reset 2FA for.
  3. Click Reset TOTP.
  4. The User will be prompted to re-enroll in 2FA the next time it logs in to the UDMG Admin UI.
info

Only System Administrators or Domain Administrators can reset 2FA.