Get a Quote   (408) 943-4100               TrueNAS Discord      VendOp_Icon_15x15px   Commercial Support Toggle between Light and Dark mode

2FA (Two-Factor Authentication)

  4 minute read.

Last Modified 2022-04-07 16:08 EDT

Two-factor authentication (2FA) is great for increasing security.

TrueNAS offers 2FA to ensure that entities cannot use a compromised administrator root password to access the administrator interface.

You need a mobile device with the current time and date that has Google Authenticator installed to use 2FA.

Two-Factor authentication is time based and requires that the system is set correctly. Making sure NTP is functional before enabling is strongly recommended!

2FA adds an extra layer of security to your system to prevent someone from logging in, even if they have your password. 2FA requires you to verify your identity using a randomized 6-digit code that regenerates every 30 seconds (unless modified) to use when you log in.

Benefits

Unauthorized users can’t log in since they won’t have the randomized 6-digit code.

Authorized employees can securely access systems from any device or location without jeopardizing sensitive information.

Internet access on the TrueNAS system is not required to use 2FA.

Drawbacks

Requires an app to generate 2FA code.

If the 2FA code isn’t working or users can’t get it, the system is inaccessible through the UI and SSH (if enabled).

If the device with the 2FA app isn’t available, you can use the system CLI to bypass 2FA with administrative IPMI or by physically accessing the system.

To unlock 2FA in the CLI, enter: midclt call auth.twofactor.update '{ "enabled":false }'

2FA Options

2FAEnableSCALE

Two-factor authentication is time-based and requires that you correctly set the system time.

User Settings

NameDescription
One Time Password (OTP) DigitsThe number of digits in the One-Time Password. The default is 6, which is Google’s standard OTP length. Check your app/device settings before selecting this.
IntervalThe lifespan (in seconds) of each OTP. Default is 30 seconds. The minimum is 5 seconds.
WindowExtends password validity beyond the Interval setting. For example, 1 means that one password before and after the current one is valid, leaving three valid passwords. Extending the window is useful in high-latency situations.
Enable Two-Factor Auth for SSHEnable 2FA for system SSH access. We recommend leaving this DISABLED until after you successfully test 2FA with the UI.

System Generated Settings

NameDescription
Secret (Read-only)The secret TrueNAS creates and uses to generate OTPs when you first enable 2FA.
Provisioning URI (includes Secret - Read-only)The URI used to provision an OTP. TrueNAS encodes the URI (which contains the secret) in a QR Code. To set up an OTP app like Google Authenticator, use the app to scan the QR code or enter the secret manually into the app. TrueNAS produces the URI when you first activate 2FA.

Enabling Two-Factor Authentication.

This short video demonstrates adding 2FA.

(Video URL: https://www.truenas.com/docs/files/scaleangelfish2fa.mp4)

Set up a second 2FA device as a backup before proceeding.

1 Go to Credentials > 2FA.

2 Click Enable Two Factor Authentication, then click Confirm.

2FAOptionsSCALE

3 Click Show QR.

2FAQRSCALE

4 Start Google Authenticator on the mobile device and scan the QR code.

Using 2FA to Log in to TrueNAS

Enabling 2FA changes the login process for both the TrueNAS web interface and SSH logins:

The login screen adds another field for the randomized authenticator code. If this field isn’t immediately visible, try refreshing the browser.

Enter the code from the mobile device (without the space) in the login window with the root Username and Password.

2FALoginSCALE

1 Confirm that you set Enable Two-Factor Auth for SSH in Credentials > 2FA. 2 Go to System Settings > Services and edit the SSH service. Set Log in as Root with Password, then click Save. Toggle the SSH service and wait for the status to show that it is running. 3 Open the Google Authentication app on your mobile device. 4 Open a terminal and SSH into the system using its hostname or IP address, root account username and password, and the 2FA code.

2FASSHSCALE