Two-Factor Authentication (2FA)

Grape has built in Two-factor Authentication with SMS messages or Google Authenticator (TOTP).

Force Two-factor Authentication based on Roles

Since version 3.16.0, organization admins can force certain roles to enable Two-factor Authentication. You can find this configuration on “Security” section of organization settings page.

2fa

After adding a new role there, all users affected will receive a warning email. Then, they have a week to enable it. After this period they can’t do anything else. You can change this period by setting the variable ENABLE_2FA_ADAPT_PERIOD.


NOTE

All new organizations will have Two Factor Authentication enforced by default for admins and owners. All organizations (old and new) will have Two Factor Authentication enforced by default for superusers.

If you want to disable this behaviour for superusers, you should set ENFORCE_2FA_SUPERUSER=0


Enable Two-factor Authentication as a user

In the Web Client or in your Desktop Client:

  1. Click the cogwheel cogwheel

  2. Click “Account Settings”

  3. Click “Security” in the menu on the left

  4. Click “Enable 2-Step Verification”

  5. Follow the steps on the website

Check Two-factor Authentication status for all users

In the Web Client or in your Desktop Client:

  1. Click the cogwheel cogwheel

  2. Click “Organization Settings”

  3. Click “Members”

  4. The table has a column called “2FA” where you can see every user’s 2FA status

Other Two-factor Authentication methods

If you want to use your own 2FA as part of SSO for example, there are no additional steps needed on the Grape side.

If your company has a another way to do 2FA that needs to be supported by Grape, please get in touch with us.