Two-Factor Authentication
Two-Factor Authentication
2FA adds a second authentication factor on top of the password. Strongly recommended for any production site — particularly for users with the System Manager role.
Enabling site-wide
System Settings → Two Factor Authentication:
- Enable Two Factor Auth — turns the feature on globally
- Bypass restrict IP check — choose whether to require 2FA even from trusted IPs
- Two Factor Method — pick the default mechanism
Methods
| Method | How it works | Notes |
|---|---|---|
| OTP App | TOTP via Google Authenticator, Authy, 1Password, etc. | Most secure; works offline |
| SMS | One-time code by SMS | Requires SMS Settings; phone number on User profile |
| One-time code by email | Fallback; assumes email isn't itself compromised |
Recommend OTP App as default. Avoid SMS for high-value accounts (SIM-swap risk).
Per-role enforcement
Role → Two Factor Auth (the checkbox on each Role):
- Make 2FA mandatory for roles with sensitive permissions (System Manager, Accounts Manager)
- Leave optional for end-user roles to minimise friction
First-time setup (user)
- User logs in with password
- Frappe shows a QR code; user scans with their OTP app
- Recovery codes are displayed — user saves them somewhere safe
- Subsequent logins require both password and an OTP code
Recovery
If a user loses their OTP device:
- They use a recovery code if they saved one
- Otherwise, a System Manager resets via User → Reset 2FA, and the user re-enrolls on next login
Bypass for trusted IPs
System Settings → Bypass restrict IP check combined with Restrict IP on the User. Useful for office networks where 2FA on every login is excessive — but weakens security if the IP whitelist is compromised.
Last updated 3 days ago
Was this helpful?