Rocket.Chat’s two-factor authentication (2FA) feature adds an extra layer of security by requiring users to verify their identity using two forms of authentication before accessing their accounts.
When 2FA is enabled, users must enter their username and password, followed by a one-time code generated by an authenticator app or sent to their registered email. This unique code is valid for a single login and cannot be reused or guessed.
To configure 2FA in your workspace go to Administration > Workspace > Settings > Accounts > Two Factor Authentication.
You can adjust the following options based on your security needs:
Field | Description |
|---|---|
Enable Two Factor Authentication | Turn 2FA on or off for all workspace users. |
Maximum Delta | Sets how long a token remains valid. Tokens are generated every 30 seconds and remain valid for |
Enable Two-Factor Authentication via TOTP | Allow users to set up 2FA using authentication apps like Google Authenticator or Authy. |
Enable Two Factor Authentication via Email | Allow users to receive verification codes by email for logging in or approving sensitive actions. Before enabling, make sure email settings are configured. 2FA via email won't work for users whose email address is not verified. |
Make two factor via email available for OAuth users | When enabled, users signing in with OAuth providers (e.g., GitHub, Google) will receive a temporary email code for authentication (e.g., logging in, resetting E2E keys). Ensure both email settings and an OAuth method are configured before enabling. |
Auto opt in new users for Two Factor via Email | Automatically enables 2FA via email for new users by default. Users can disable this on their profile page. |
Time to expire the code sent via email in seconds | Sets how long (in seconds) a 2FA email code remains valid. |
Maximum Invalid Email OTP Codes Allowed | Sets the maximum number of invalid email OTP codes before auto-generating a new code. |
Remember Two Factor for (seconds) | Sets the time (in seconds) during which users won’t be asked for another code if one was already provided. |
Enforce password fallback | Forces users to enter their password for critical workspace actions (e.g., updating configurations). By default, this setting is enabled if no other 2FA method is enabled. |
Reset defaults | Click the button to return configurations to their default values. |
By default, 2FA is enabled via email for users who sign up with their email address. For setup instructions, refer to the 2FA user guide.
To reset a user’s TOTP 2FA, see the Managing users document.
On the Enterprise plan, you can enforce 2FA for specific user roles to enhance security. Go to Administration > Workspace > Permissions, then edit the role to enable enforcement.