Navigation

    FusionAuth
    • Login
    • Search
    • Home
    • Categories
    • Recent
    • Popular
    • Pricing
    • Contact us
    • Docs
    1. Home
    2. Tags
    3. two factor
    Log in to post
    • All categories
    • dan

      Time drift with OTP
      Q&A • two factor time skew • • dan

      2
      0
      Votes
      2
      Posts
      248
      Views

      dan

      The code is considered valid for n -1, n and n + 1 time steps. We use a 30s time step, so I think this would max out at 59s for a skew tolerance. In your case, if you have up to 70s of skew, this would plausibly break TOTP 2FA.

    • dan

      Is there a way to force users to use two factor authentication?
      Q&A • two factor configuration application • • dan

      2
      0
      Votes
      2
      Posts
      354
      Views

      dan

      Not with a FusionAuth policy, but you could enforce it just by checking the user during login, as twoFactorEnabled is an attribute of the user.

      There's also this github issue which you may want to vote up: https://github.com/FusionAuth/fusionauth-issues/issues/763

    • dan

      Enforcing two factor configuration
      Q&A • two factor configuration • • dan

      4
      0
      Votes
      4
      Posts
      340
      Views

      dan

      @mangeshp16 The original question is over two years old. Since version 1.42, you can enforce MFA at the tenant level (or the application level if you have the enterprise plan). This means that any user who logs in is required to have MFA. If they do not, they are redirected to a page where they can set it up.

      There are other ways to accomplish this. You could build your own MFA page which would call the APIs directly. When a user logs in, you can check to see if they have any twoFactor methods available and if they don't, you can send them to this page.

    • dan

      How can I turn on two factor authentication?
      Q&A • twilio two factor faq • • dan

      4
      0
      Votes
      4
      Posts
      840
      Views

      dan

      @denisskaletti Thanks for feedback. I removed your link because it seemed like spam. We welcome useful links that are about using FusionAuth, please check out the blog category and post there.