Get a Quote   (408) 943-4100               TrueNAS Discord      VendOp_Icon_15x15px   Commercial Support Toggle between Light and Dark mode

2FA (Two-Factor Authentication)

  4 minute read.

Last Modified 2021-07-30 09:07 EDT

For increased security, two-factor authentication is highly desirable. TrueNAS offers Two-Factor Authentication (2FA) to ensure that a compromised administrator (root) password cannot be used by itself to gain access to the administrator interface. In order to utilize 2FA a mobile device that has Google Authenticator installed is required.

Two-Factor Authentication (2FA) is an extra layer of security that is added to your system to prevent someone from logging in, even if they have your password. This extra security measure requires you to verify your identity using a randomized 6-digit code that is re-generated every 30 seconds, unless the interval is modified, to use when you to log in.


  • 2FA provides an extra layer of security: By requiring a second form of identification 2FA decreases the probability that an a unauthorized user can gain access to the system. An unauthorized user won’t have the second element required to authenticate their login.

  • Increase productivity and flexibility: As the workforce becomes more mobile, employees can securely access systems from virtually any device or location-without putting sensitive information at risk.


  • An app is required to access the generated 2FA Code.

  • If the the 2FA code isn’t working, or there is no access to the 2FA Password, the system is inaccessable through the UI and SSH (if that option has been set).

    When the mobile device with the authenication app isn’t available, access the system CLI to bypass 2FA. This requires administrative IPMI or physical access to the system.

To unlock 2FA in the cli, enter: midclt call auth.twofactor.update ‘{ "enabled":false }'

2FA Options


Two-factor authentication is time-based and requires that the system time is set correctly.

User Settings

One Time Password (OTP) DigitsThe number of digits in the One-Time Password. The default is 6, which is Google’s standard OTP length. Check your app/device settings before selecting this.
IntervalThe lifespan (in seconds) of each OTP. Default is 30 seconds. The minimum is 5 seconds.
WindowExtends password validity beyond the Interval setting. For example, 1 means that one password before and after the current one is valid, leaving three valid passwords. Extending the window is useful in high-latency situations.
Enable Two-Factor Auth for SSHEnable 2FA for system SSH access. We recommend leaving this DISABLED until after you successfully test 2FA with the UI.

System Generated Settings

Secret (Read-only)The secret TrueNAS creates and uses to generate OTPs when you first enable 2FA.
Provisioning URI (includes Secret - Read-only)The URI used to provision an OTP. TrueNAS encodes the URI (which contains the secret) in a QR Code. To set up an OTP app like Google Authenticator, use the app to scan the QR code or enter the secret manually into the app. TrueNAS produces the URI when you first activate 2FA.

Enabling Two-Factor Authentication.

Set up a second 2FA device as a backup before proceeding.
  • Go to System > 2FA.

  • Click Enable Two Factor Authentication and Save.


  • Click Confirm.

  • Click Show QR.


  • On the mobile device start Google Authentication and scan the QR code.

Using 2FA to Log in to TrueNAS

Enabling 2FA changes the log in process for both the TrueNAS web interface and SSH logins:

  • The log in screen adds another field for the randomized authenticator code. If this field isn’t immediately visible, try refreshing the browser.
  • Enter the code on the mobile device (complete without the space) in the login window with the root Username and Password.


  • Confirm that Enable Two-Factor Auth for SSH is set in System > 2FA.

  • Go to Services > SSH and edit the service. Set Log in with root password and SAVE. Toggle the SSH service and wait for the status to show that it is Running.

  • Open the Google Authentication app on your mobile device.

  • Open a Terminal window and SSH into the system using the system hostname or IP address, root account username and password, and the 2FA code from the mobile device.