Two-Factor Authentication (2FA) is your extra layer of login security. With 2FA, logging into Rock involves more than just a username and password; you'll also need to verify your identity via email or text. However, this doesn’t apply to everyone. You get to control who is required to use 2FA based on their Account Protection Profile. If you're using Passwordless Login on your site, people needing 2FA will still need to enter their username and password after completing the Passwordless process. WarningExternal AuthenticationBuilt-in external authentication providers like Google or Facebook do not support Two-Factor Authentication. So, they can’t be used if 2FA is turned on. There is a customizable message in the Login block that the person will see in this case. In the below example, the person initially logged in with a traditional username and password. Now they must provide their email or phone number to proceed. If the person uses their phone number, they will be sent a verification code via SMS text message. Then, back in Rock, the person will need to enter the verification code from their phone to finish logging in. If they provide an email address instead of a phone number, there’s a button in the email they receive that they need to click to finish the sign-in process. This will log them in promptly and does not require that they manually enter the code. If the email address or phone number they provide doesn’t match what they have in Rock, or if they don’t have a phone number or email at all, they’ll be instructed to contact you for assistance, as pictured below. Two-Factor Authentication Setup We’ll start with the communication configuration. Two-Factor Authorization utilizes some of the same functionality as the Passwordless Login process. This includes sending the person an email or SMS message. So, if you've set up Passwordless Login already, you can skip updating your communication configuration. If not, then go to Admin Tools > Settings > System Communications and add a "From" number to the SMS section of the Passwordless Login Confirmation system communication. Two-Factor Authorization is turned off by default, partially because it won’t work without the above configuration. So, your last step is to enable 2FA. You’ll need to update your Security Settings under Admin Tools > Settings > Security Settings. There you’ll choose which Protection Profile(s) should be required to use 2FA. WarningCheck Login Block SettingsIf the Login block’s settings have Show Internal Database Login set to "No", and Redirect to Single External Auth Provider set to "Yes", then you should NOT enable 2FA. If you do, you may lock yourself or others out of Rock. At a minimum, you may want to require Two-Factor Authentication for people with Extreme Protection Profiles. This helps prevent fraudulent attempts to log in using accounts with higher levels of access to Rock. NoteWhen to Turn OnIn the rare event that you turn on 2FA while people are actively logged in to Rock, and if those people require 2FA, they will be automatically logged out and must sign in again using 2FA. For this reason, you may want to turn this on during periods of low activity. The Login block itself has a few settings directly related to Two-Factor Authentication. These are messages that the person will see if things don’t go exactly as planned. The messages include the following topics/scenarios: Two-Factor Email or Mobile Phone Required - This is the standard message that people see whenever they need to go through the Two-Factor Authentication process.Two-Factor Email and Mobile Phone Not Available - The person will see this message if they don’t have an email or phone number in your system at all.Two-Factor Login Required - This standard message simply informs the person that they need to use 2FA and requests their phone number or email address.Two-Factor Login Not Available - People will see this one if they don’t have a username/password set up in your system.Two-Factor Not Supported by Authorization Component - This message will appear if the person is required to use 2FA but attempts to log in using their Facebook account, Google Account, or similar 3rd party accounts. TipPasswordless with PasswordsNote that Passwordless Login will require the person to establish a username and password as part of that process if 2FA is turned on. Things to Remember: Configure an SMS "From" number for the Passwordless Login Confirmation communication in Admin Tools > Settings > System Communications.Activate 2FA in Security Settings under Admin Tools > Settings > Security Settings, selecting relevant Protection Profiles.For people using Passwordless Login, note that enabling 2FA requires establishing a username and password as part of the process.