Native MFA
Twingate's native multi-factor authentication can be required at sign-in, on specific Resources, or for the Admin Console.
Twingate offers native multi-factor authentication (MFA) that can be configured independently of your identity provider. You can require MFA at sign-in, when accessing specific Resources, or both.
Avoid requiring MFA in both Twingate and your IdP
If your IdP already enforces MFA, enabling Twingate’s native MFA as well will require users to complete MFA twice during authentication. Configure MFA in one place (either Twingate or your IdP), not both.
Where to Configure MFA
MFA is configured at the policy level. You can enable it in three places, each affecting a different scope:
- Sign In Policy: Requires MFA every time a user signs in to the Twingate Client. The frequency is tied to the Sign In Policy’s authentication frequency.
- Resource Policies: Requires MFA when a user accesses a Resource protected by that policy. The frequency is tied to the Resource Policy’s authentication frequency. This is useful for requiring MFA only when accessing sensitive Resources.
- Admin Console Security (under Settings): Requires MFA when admins sign in to the Admin Console.
For example, if a Resource Policy has MFA enabled with a 24-hour authentication frequency, users will complete MFA once per day when they first access a Resource protected by that policy.
Supported MFA Methods
Twingate supports three methods for multi-factor authentication:
- Time-based One-Time Password (TOTP): Generate a time-based code using a third-party authenticator app such as Google Authenticator, Authy, or 1Password.
- Biometrics (WebAuthn): Use device-based biometrics such as Touch ID or Windows Hello.
- Security Keys (WebAuthn): Use a physical security key such as a YubiKey. Only FIDO2/CTAP2 keys are supported.
Even if a user configures biometrics or a security key, they will also be prompted to configure TOTP as a backup method. This ensures the user can authenticate on new devices where their biometric or security key may not be available.
Managing User MFA
If a user loses access to a configured MFA method (for example, a lost device or lost authenticator app), you can reset their MFA from the user’s detail page in the Admin Console. Select the authentication method to reset or delete. The user will be guided through the setup flow the next time they are prompted for MFA.
Troubleshooting Biometrics and Security Keys
WebAuthn support varies by platform and browser. Some environments may not support biometrics or security keys. For a general overview of WebAuthn browser compatibility, see webauthn.me/browser-support.
Last updated 27 days ago