Twingate offers native Two-Factor Authentication in our application. We recommend you use our 2FA instead of the one provided by your identity provider for improved configurability and more granular management capabilities. We don’t recommend that you set up both 2FA in your Idp and Twingate, as your users will have to complete 2FA twice when they authenticate.
2FA is configured at the Security Policy level. Setting 2FA on the Network Sign In Policy will require 2FA be completed every time the user logs in, and setting it in the Admin Console Security settings (available in the main Settings section) will require admins to complete 2FA when logging into the Admin Console. You can also enable 2FA only on Security Policies assigned to specific Resources, which will only require 2FA when users are accessing those Resources. For more details on configuring 2FA Security Policies, see our documentation.
The Security Policy’s session lifetime determines how often users need to complete 2FA. For example, if the Resource Policy has 2FA enabled and the session lifetime is 24 hours, every day the user will need to complete 2FA when they access a Resource, even if they remain logged in during that time.
Twingate supports multiple options for Two-Factor Authentication, including:
- Time-based One-Time Password (TOTP): generate a time-based, one-time code using a third-party authenticator app
- Biometrics (WebAuthn): use device-based biometrics (e.g. TouchID, Windows Hello) to authenticate
- Security Keys (WebAuthn): use a third-party security key (e.g. Yubikey) to authenticate. (Note: only FIDO2/CTAP2 security keys are supported.)
Even if users have biometrics or a security key configured, they will be prompted to configure TOTP as well. This is to ensure that users have a backup 2FA method configured that can be used to authenticate into new devices.
If an individual user has lost access to a configured authentication option (e.g. lost device or lost authenticator access), you can reset their 2FA code by navigating to the user and selecting to reset or delete the corresponding authentication option. This will take the user through the initial setup flow the next time they are prompted for 2FA.
Because WebAuthn support differs by platform and browser, there are certain environments that may not support WebAuthn at this time. For a general review of environments that support WebAuthn, see here.
Last updated 2 months ago