Twingate offers native Two-Factor Authentication in our application. We recommend you use our 2FA instead of the one provided by your identity provider for improved configurability and more granular management capabilities. Don't set up both our 2FA and your IdP's, as your users will have to complete 2FA twice when they authenticate.
2FA is configured at the Security Policy level. Setting 2FA on the Network Sign In Policy will require 2FA be completed every time the user logs in, and setting it on the Admin Sign In Policy will require admins to complete 2FA when logging into the Admin Console. You can also enable 2FA only on Security Policies assigned to specific Resources, which will only require 2FA when users are accessing those Resources. For more details on configuring 2FA Security Policies, see our documentation.
The Security Policy's session lifetime determines how often users need to complete 2FA. For example, if the Resource Policy has 2FA enabled and the session lifetime is 24 hours, every day the user will need to complete 2FA when they access a Resource, even if they remain logged in during that time.
If an individual user has lost his phone or accidentally deleted the authenticator app, you can reset his 2FA code by navigating to the user and selecting Reset. This will take them through the setup flow the next time they need 2FA, like a user who has never set it up.
Updated 6 months ago