Two-Factor Authentication (2FA)

Two-Factor Authentication (2FA) is an additional security layer that protects your EMQX Platform member accounts. When 2FA is enabled, you'll need to enter a verification code generated by an authenticator app in addition to your username and password to log in.

Important Notes

• Member accounts must be in an active state to configure 2FA. After configuration, a verification code is required for every login.
• Users who have already configured 2FA cannot set it up again.
• Please keep your authenticator app secure. Member accounts cannot delete or reset 2FA on their own. Contact the root user if you need to delete it.
• Only the root user can delete 2FA. Member accounts cannot perform this operation, even member accounts with administrator privileges.
• Accounts with Single Sign-On (SSO) enabled cannot enable 2FA.

Configure 2FA for Root User

Root users can secure their accounts with 2FA using either an email verification code or a mobile authenticator app.

1. Log in to the EMQX Platform Console with the root account.

2. Click Settings from the left menu.

3. Select the Security tab and click the Security card. You will be directed to an account settings page.

4. Navigate to the Two-Factor Authentication section on the page. Select your preferred method for 2FA:

   • Email Message: A one-time code will be sent to your account email.
   • Authenticator App: Scan a QR code with an app like Google Authenticator or Microsoft Authenticator.

5. Follow the on-screen instructions to complete the setup.

   It's recommended to test the login immediately after configuration to ensure the authenticator app is working properly.

After enabling 2FA, click Cloud Console from the account menu in the upper-right corner to return to the platform.

Configure 2FA for Member Account

1. Open the Team Member Sign-in page, and log in using the member account.

2. Click Settings from the left menu.

3. Select Two-factor Authentication.

4. Follow the on-screen instructions to complete the setup.

   It's recommended to test the login immediately after configuration to ensure the authenticator app is working properly.

Lost Authenticator Handling

If a member user loses their authenticator app, follow these steps:

1. Contact the root user.
2. The root user should locate the corresponding member account in the Team page.
3. Click the Remove 2FA option in the Actions column.
4. After successful deletion, the member user can reconfigure 2FA.

Additional Notes

• Ensure you have a reliable network connection when configuring 2FA.
• It's recommended to keep backups of your authenticator app on multiple devices.
• Regularly check if your authenticator app is functioning properly.
• If you change phones or uninstall the authenticator app, make sure to contact the root account administrator in advance.