TrueNAS SCALETrueNAS SCALE Nightly Development Documentation
This content follows experimental early release software. Use the Product and Version selectors above to view content specific to a stable software release.

Managing Global 2FA (Two-Factor Authentication)

Global Two-factor authentication (2FA) is great for increasing security.

TrueNAS offers global 2FA to ensure that entities cannot use a compromised administrator root password to access the administrator interface.

Advanced settings have reasonable defaults in place. A warning message displays for some settings advising of the dangers of making changes. Changing advanced settings can be dangerous when done incorrectly. Use caution before saving changes.

Make sure you are comfortable with ZFS, Linux, and system configuration, backup, and restoration before making any changes.

About SCALE 2FA

To use 2FA, you need a mobile device with the current time and date, and an authenticator app installed. We recommend Google Authenticator. You can use other authenticator applications, but you must confirm the settings and QR codes generated in TrueNAS are compatible with your particular app before permanently activating 2FA.

Two-factor authentication is time-based and requires a correct system time setting. Ensure Network Time Protocol (NTP) is functional before enabling two-factor authentication is strongly recommended!
What is 2FA and why should I enable it? 2FA adds an extra layer of security to your system to prevent someone from logging in, even if they have your password. 2FA requires you to verify your identity using a randomized six-digit code that regenerates every 30 seconds (unless modified) to use when you log in.

Benefits of 2FA

Unauthorized users cannot log in since they do not have the randomized six-digit code.

Authorized employees can securely access systems from any device or location without jeopardizing sensitive information.

Internet access on the TrueNAS system is not required to use 2FA.

Drawbacks of 2FA

2FA requires an app to generate the 2FA code.

If the 2FA code is not working or users cannot get it, the system is inaccessible through the UI and SSH (if enabled). You can bypass or unlock 2FA using the CLI.

Enabling 2FA

Set up a second 2FA device as a backup before proceeding.

Before you begin, download Google Authenticator to your mobile device.

  1. Go to System > Advanced, scroll down to the Global Two Factor Authentication widget, and click Config.

  2. Check Enable Two Factor Authentication Globally, then click Save.

    If you want to enable two-factor authentication for SSH logins, select Enable Two-Factor Auth for SSH before you click Save.

    TrueNAS takes you to the Two-Factor Authentication screen to finish 2FA setup.

    When using Google Authenticator, set Interval to 30 or the authenticator code might not function when logging in.

  3. Click Show QR and scan the QR code using Google Authenticator.

    After scanning the code click CLOSE to close the dialog on the Two-Factor Authentication screen.

Accounts that are already configured with individual 2FA are not prompted for 2FA login codes until Global 2FA is enabled. When Global 2FA is enabled, user accounts that have not configured 2FA settings yet are shown the Two-Factor Authentication screen on their next login to configure and enable 2FA authentication for that account.

Disabling or Bypassing 2FA

Go to System > Advanced, scroll down to the Global Two Factor Authentication widget, and click Config. Clear the Enable Two-Factor Authentication Globally checkbox and click Save.

Reactivating 2FA

If you want to enable 2FA again, go to System > Advanced, scroll down to the Global Two Factor Authentication widget, and click Config.

Check Enable Two Factor Authentication Globally, then click Save. To change the system-generated Secret, go to Credentials > 2FA and click Renew 2FA Secret.

Using 2FA to Log in to TrueNAS

Enabling 2FA changes the login process for both the TrueNAS web interface and SSH logins.

Logging In Using the Web Interface

The login screen adds another field for the randomized authenticator code. If this field is not immediately visible, try refreshing the browser.

Enter the code from the mobile device (without the space) in the login window and use the root username and password.

2FA Signin Splash Screen
Figure 4: 2FA Splash Screen

If you wait too long, a new number code displays in Google Authenticator, so you can retry.

Logging In Using SSH

  1. Confirm that you set Enable Two-Factor Auth for SSH in System > Advanced > Global Two Factor Authentication.

  2. Go to System > Services and edit the SSH service.

    a. Set Log in as Admin with Password, then click Save.

    b. Click the SSH toggle and wait for the service status to show that it is running.

  3. Open the Google Authentication app on your mobile device.

  4. Open a terminal (such as Windows Shell) and SSH into the system using either the host name or IP address, the administrator account user name and password, and the 2FA code.