New! Try PentestPad Lite for free - no credit card required
logo
Administration

Enforcing 2FA

Configure and enforce two-factor authentication for enhanced security

Overview

Two-Factor Authentication (2FA), also known as Multi-Factor Authentication (MFA), adds an extra layer of security to user accounts by requiring a second form of verification beyond just a password. This significantly reduces the risk of unauthorized access even if passwords are compromised.

Security Recommendation

Enforce 2FA for all users, to significantly enhance account security and protect sensitive penetration testing data.

Enforcing 2FA Settings

  1. Log in to PentestPad with an administrator account
  2. Navigate to the sidebar menu
  3. Click on Administration
  4. Select General tag
  5. Locate Enforce users to set up multi factor authentication settings

Enabling System-Wide 2FA

To require 2FA for users:

  1. Navigate to Administration > General tag
  2. Toggle Enforce users to set up multi factor authentication to enabled
  3. Click Save Settings

User's next login

  • Users can log in normally without 2FA
  • System forces user to set 2FA before proceeding

Planning Tip

Announce 2FA enforcement to your team before enabling it. Provide setup instructions and support resources to ensure smooth transition.

How Users Enable 2FA

When 2FA is required or enabled by choice, users follow these steps:

  1. Log in with username and password
  2. System displays prompt: "Two-Factor Authentication Required"
  3. User sees QR code and setup instructions
  4. User opens authenticator app on their mobile device
  5. User scans QR code with authenticator app
  6. App generates a 6-digit verification code
  7. User enters verification code in PentestPad
  8. System displays backup codes (10 one-time codes)
  9. User saves backup codes in secure location
  10. Setup complete - 2FA is now active

Important

Users must save their backup codes in a secure location. These codes are the only way to access the account if they lose their authenticator device.

Alternative Setup: Manual Entry

If users cannot scan the QR code:

  1. Click "Can't scan the QR code?"
  2. System displays secret key (e.g., JBSWY3DPEHPK3PXP)
  3. User manually enters this key in authenticator app
  4. Complete verification as normal

Supported Authenticator Apps

PentestPad supports TOTP (Time-based One-Time Password) compatible applications:

Google Authenticator

  • Platforms: iOS, Android
  • Features: Simple, reliable, free
  • Best for: Basic 2FA needs

Microsoft Authenticator

  • Platforms: iOS, Android
  • Features: Backup, multi-device sync, passwordless login
  • Best for: Microsoft ecosystem users

Authy

  • Platforms: iOS, Android, Desktop, Chrome
  • Features: Cloud backup, multi-device sync, encrypted backups
  • Best for: Users who want desktop access

1Password

  • Platforms: Cross-platform
  • Features: Integrated password + TOTP management, secure sharing
  • Best for: Teams using password managers

LastPass Authenticator

  • Platforms: iOS, Android
  • Features: One-tap verification, backup
  • Best for: LastPass users

Any TOTP App Works

PentestPad uses the standard TOTP protocol (RFC 6238), so any compatible authenticator application will work.

Backup Codes

Understanding Backup Codes

Backup codes are one-time use recovery codes generated during 2FA setup:

Characteristics:

  • Typically 10 codes provided at setup
  • Each code can only be used once
  • 8-10 characters long
  • Can be used instead of authenticator app
  • Remain valid until used or regenerated

When to Use Backup Codes

Use backup codes when:

  • Lost or broken phone with authenticator app
  • Authenticator app not working or corrupted
  • Device not available (traveling, etc.)
  • Need emergency access to account
  • Switching to a new phone

How to Use a Backup Code

  1. Navigate to PentestPad login page
  2. Enter username and password
  3. When prompted for 2FA code, click "Use backup code"
  4. Enter one of your saved backup codes
  5. Log in successfully
  6. Immediately reconfigure 2FA in account settings

Best Practice

After using a backup code, set up 2FA again with your current device and generate new backup codes.

User Self-Service Reset

Users can reset their own 2FA using backup codes (see Backup Codes section above).

Troubleshooting Common Issues

User Cannot Scan QR Code

Solutions:

  1. Provide manual entry option - show secret key
  2. Check camera permissions on mobile device
  3. Try different authenticator app
  4. Ensure good lighting when scanning
  5. Move phone closer/farther from screen

Time Sync Issues

Problem: Codes not working even though entered correctly

Solution:

  1. Verify device time is accurate (not off by minutes)
  2. Enable automatic time sync on device:
    • iOS: Settings > General > Date & Time > Set Automatically
    • Android: Settings > System > Date & time > Automatic
  3. Check timezone is correct
  4. Try waiting for next code cycle (codes refresh every 30 seconds)

Codes Not Accepted

Troubleshooting steps:

  1. Verify correct time on device
  2. Check for typos - codes are case-sensitive
  3. Ensure using code from correct account in authenticator
  4. Wait for code to refresh (they expire quickly)
  5. Check if Caps Lock is on
  6. Try backup codes if codes consistently fail

Data Retention

Configure retention policies for reports and project data to ensure compliance