Rocket.Chat’s two-factor authentication (2FA) feature provides additional protection for workspace users by requiring them to provide additional forms of authentication before accessing their accounts. With 2FA enabled, users logging into Rocket.Chat must provide their username and password and a unique one-time code, either generated by an authenticator app or sent to their email. This code is unique to each login attempt and provides an extra layer of security, as it cannot be reused or guessed.
To access the 2FA settings, go to Administration > Workspace > Settings > Accounts > Two Factor Authentication tab. Update the following settings according to your needs:
Field | Description |
|---|---|
Enable Two Factor Authentication | Enable or disable 2FA for the workspace users. |
Maximum Delta | This field determines how many tokens are valid at any given time. Tokens are generated every 30 seconds and are valid for (30 * Maximum Delta) seconds. For example, with the Maximum Delta value set to |
Enable Two-Factor Authentication via TOTP | Select whether or not users can set up 2FA with authentication apps like Google Authenticator. |
Enable Two Factor Authentication via Email | Select whether or not users receive emails with a temporary code to log in or to authorize certain actions. Before you enable this option, make sure that you have configured the email settings for your workspace. |
Make two factor via email available for OAuth users | When this option is enabled, users signing in through OAuth providers (e.g., GitHub, Google) will receive an email with a temporary code to authorize actions such as logging in, resetting E2E keys, and more. Before you enable this option, make sure that you have configured the email settings and any OAuth method. |
Auto opt in new users for Two Factor via Email | When this option is enabled, users have 2FA via email enabled by default. This can be disabled on their profile page. |
Time to expire the code sent via email in seconds | Set the time (in seconds) for how long the 2FA code sent to a user's email is valid. |
Maximum Invalid Email OTP Codes Allowed | Set the maximum number of invalid email OTP codes before auto-generating a new code. |
Remember Two Factor for (seconds) | Set the number of seconds users won't be able to request an authorization code if one has already been provided. |
Enforce password fallback | Enabling this setting forces users to enter their passwords to perform some important workspace actions, such as updating certain configurations. By default, this setting is enabled if no other 2FA method is enabled. |
Reset defaults | Click the button to return configurations to their default values. |
By default, 2FA is enabled with the email you used for signing up on the workspace. To learn how to use the 2FA feature in your account, see the 2FA user guide.
If you need to reset 2FA TOTP for a user’s account, refer to the Managing users document.
In the Enterprise plan, you can force certain user roles to use 2FA to improve security. Go to Administration > Workspace > Permissions and edit the role.