Two-Factor Authentication


This rule can be applied to Resource Policies, Minimum Authentication Requirements, and Admin Console Security.


This rule controls whether the user will be prompted for two-factor authentication when attempting to access a Resource, sign in to the Network, or sign in to the Admin Console. More details on two-factor authentication can be found in our documentation.

We recommend that you either set a 2FA rule on Minimum Authentication Requirements or Resource Policies, but not both, otherwise users will be asked to 2FA twice.


When Two-Factor Authentication is required and not set up yet, you will see a notification after authenticating with your credentials.

Twingate’s 2FA uses industry standard TOTP format to generate 2FA codes. You can use any TOTP-based authenticator application on Android or iOS, such as Google Authenticator (Android, iOS). Your identity provider may also include this functionality in their own mobile app.

First, add a new application in your authenticator app, then scan the QR code using your phone’s camera. If you are setting 2FA up from your phone, entering the alphanumerical ID instead may be easier. After you’ve set it up on your phone, confirm that everything is working correctly by entering the code that’s generated in the app.

Going forward, you will need to enter the 2FA code from the app you set it up on every time you access a Resource or network protected by 2FA.

After setting up TOTP for 2FA, you will be prompted to set up either a biometric method or register a security key, both of which are additional options for meeting the Twingate 2FA requirement.

When selecting to enroll either a biometric method (e.g. Touch ID, Windows Hello) or a security key (e.g. YubiKey), you will be routed through the browser to complete registration. After registration is complete, you will be able to use these additional methods to meet the Twingate 2FA requirement.

Last updated 5 months ago