Rocket.Chat’s two-factor authentication (2FA) feature adds an extra layer of security by requiring users to verify their identity with two forms of authentication before accessing their accounts.
When 2FA is enabled, users must enter their username and password, followed by a one-time code generated by an authenticator app or sent to their registered email. Each code is valid for a single login and cannot be reused.
To configure 2FA in your workspace, go to: Administration > Workspace > Settings > Accounts > Two Factor Authentication
You can adjust the following options based on your security needs:
Setting | Description |
|---|---|
Enable Two Factor Authentication | Turn 2FA on or off for all workspace users. |
Maximum Delta | Determines how long tokens remain valid. Tokens are generated every 30 seconds and remain valid for |
Enable Two-Factor Authentication via TOTP | Allows users to set up 2FA with authenticator apps such as Google Authenticator or Authy. |
Enable Two Factor Authentication via Email | Allows users to receive verification codes by email for login or sensitive actions. Requires email to be configured and verified. |
Make two factor via email available for OAuth users | Sends a temporary email code to users signing in with OAuth providers (e.g., GitHub, Google). Requires email and OAuth settings to be properly configured. |
Auto opt in new users for Two Factor via Email | Automatically enables 2FA via email for new users by default. Users can disable this on their profile settings. |
Time to expire the code sent via email in seconds | Defines how long (in seconds) an emailed 2FA code remains valid. (Default: 3600 seconds) |
Maximum Invalid Email OTP Codes Allowed | Sets the maximum number of invalid email codes before the system generates a new one. (Default: 5) |
Remember Two Factor for (seconds) | Sets the time (in seconds) during which users won’t be asked again for a code if one was already provided. (Default: 1800 seconds) |
Enforce password fallback | Requires users to enter their password for critical actions (e.g., updating configurations) if no other 2FA method is enabled. Enabled by default. |
Reset defaults | Restores all 2FA settings to their default values. |
Notes:
By default, 2FA is enabled via email for users who sign up with an email address. For setup instructions, see the 2FA user guide.
To reset a user’s TOTP 2FA, see the Managing users documentation.
On the Enterprise plan, you can enforce 2FA for specific roles. Go to Administration > Workspace > Permissions, then edit the role to enable enforcement.