[comment]: # ({2c375a51-3adc7e87})
# 4 MFA

[comment]: # ({/2c375a51-3adc7e87})

[comment]: # ({6a8e85c2-352c24e6})
#### Overview

Multi-factor [authentication](/manual/web_interface/frontend_sections/users/authentication) (MFA) can be used to sign in to Zabbix, providing an additional layer of security beyond just a username and password.

With MFA, the user must exist in Zabbix, must provide Zabbix credentials when logging in, and must also prove their identity by other means, usually, a code generated by an authenticator app on the user's phone.

Multiple MFA methods are available, allowing users to choose the option that best fits their security requirements and preferences.
These methods are Time-Based One-Time Password (TOTP) and Duo Universal Prompt.

[comment]: # ({/6a8e85c2-352c24e6})

[comment]: # ({f04e9843-d741fb01})
#### Configuration

![](../../../../../../assets/en/manual/web_interface/frontend_sections/users/auth_mfa.png){width="600"}

Configuration parameters:

|Parameter|Description|
|--|--------|
|*Enable multi-factor authentication*|Mark the checkbox to enable multi-factor authentication.|
|*Methods*|Click *Add* to configure an MFA method (see [method configuration](#method-configuration) below).|

[comment]: # ({/f04e9843-d741fb01})

[comment]: # ({98143b87-3bef8b26})
#### Method configuration

![](../../../../../../assets/en/manual/web_interface/frontend_sections/users/auth_mfa_method.png)

Method configuration parameters:

|Parameter|Description|
|--|--------|
|*Type*|Select the type of MFA method:<br>**TOTP** - use an authenticator app to generate time-based one-time passwords;<br>**Duo Universal Prompt** - use the [Duo](https://duo.com/) authentication service to provide multi-factor authentication.|
|*Name*|Enter a name that is displayed as the account name to all MFA users in authenticator apps (for example, "Zabbix").|
|*Hash function*|Select the hash function (SHA-1, SHA-256, or SHA-512) for generating TOTP codes.<br> This parameter is available if the MFA method type is set to "TOTP".<br> Note that choosing SHA-256 or SHA-512 may significantly limit compatibility, as many applications currently do not support these functions.|
|*Code length*|Select the verification code length (6 or 8).<br>This parameter is available if MFA method type is set to "TOTP".|
|*API hostname*|Enter the API hostname provided by the Duo authentication service.<br>This parameter is available if MFA method type is set to "Duo Universal Prompt".|
|*Client ID*|Enter the client ID provided by the Duo authentication service.<br>This parameter is available if MFA method type is set to "Duo Universal Prompt".|
|*Client secret*|Enter the client secret provided by the Duo authentication service.<br>This parameter is available if MFA method type is set to "Duo Universal Prompt".|

[comment]: # ({/98143b87-3bef8b26})

[comment]: # ({ac310d8e-5ec7e5fc})
#### Configuration examples

This section provides examples of configuring MFA using [Time-Based One-Time Password](#totp) (TOTP) and [Duo Universal Prompt](#duo-universal-prompt).

[comment]: # ({/ac310d8e-5ec7e5fc})

[comment]: # ({75470f00-618ca622})
##### TOTP

For TOTP, users must verify their identity using an authenticator app (for example, the [Google Authenticator](https://support.google.com/accounts/answer/1066447?hl=en&ref_topic=2954345&sjid=13869154989116423594-EU) app).

1\. Go to the MFA settings in Zabbix under *Users* → *Authentication* and enable multi-factor authentication.

2\. Add a new MFA [method](#method-configuration) with the following configuration:

-   Type: TOTP
-   Name: Zabbix TOTP
-   Hash function: SHA-1
-   Code length: 6

3\. Click the *Add* button and then the *Update* button.

4\. Go to *Users* → [*User groups*](/manual/web_interface/frontend_sections/users/user_groups) and create a new user group with the following [configuration](/manual/config/users_and_usergroups/usergroup#configuration):

-   Group name: TOTP group
-   Users: Admin
-   Multi-factor authentication: Default (or "Zabbix TOTP" if it is not set as default)

5\. Log out of Zabbix and log back in using your credentials.
Upon successful login, you will be prompted to enroll in MFA, displaying a QR code and a secret key.

![](../../../../../../assets/en/manual/web_interface/frontend_sections/users/auth_mfa_totp_qr.png)

6\. Scan the QR code or enter the secret key into the Google Authenticator app.
The app will generate a verification code which you should enter to complete the login process.

7\. For subsequent logins, retrieve the verification code from the Google Authenticator app and enter it during login.

[comment]: # ({/75470f00-618ca622})

[comment]: # ({f4a7a665-dbf0ffa9})
##### Duo Universal Prompt

For Duo Universal Prompt, users must verify their identity using the [Duo Mobile](https://duo.com/product/multi-factor-authentication-mfa/duo-mobile-app) authenticator app.

::: noteimportant
The Duo Universal Prompt MFA method requires the installation of the [php-curl](/manual/installation/requirements#frontend) extension, access to Zabbix over HTTPS, and permission for outbound connections to Duo servers.
Moreover, if you have [enabled Content Security Policy (CSP) on the web server](/manual/best_practices/security/web_server#enabling-content-security-policy-csp-on-the-web-server), make sure to add "duo.com" to the CSP directive in your virtual host's configuration file.
:::

1\. Signup for a free Duo admin account at [Duo Signup](https://signup.duo.com).

2\. Open the Duo Admin Panel, go to *Applications* → [*Protect an Application*](https://duo.com/docs/protecting-applications), search for the *Web SDK* application, and click *Protect*.

3\. Note the credentials (Client ID, Client secret, API hostname) required for configuring the MFA method in Zabbix.

4\. Go to MFA settings in Zabbix under *Users* → *Authentication* and enable multi-factor authentication.

5\. Add a new MFA [method](#method-configuration) with the following configuration:

-   Type: Duo Universal Prompt
-   Name: Zabbix Duo
-   API hostname: (use API hostname from Duo)
-   Client ID: (use Client ID from Duo)
-   Client secret: (use Client secret from Duo)

6\. Click the *Add* button and then the *Update* button.

7\. Go to *Users* → [*User groups*](/manual/web_interface/frontend_sections/users/user_groups) and create a new user group with the following [configuration](/manual/config/users_and_usergroups/usergroup#configuration):

-   Group name: Duo group
-   Users: Admin
-   Multi-factor authentication: Default (or "Zabbix Duo" if it is not set as default)

8\. Log out of Zabbix and log back in using your credentials.
Upon successful login, you will be prompted to enroll in MFA and redirected to Duo.
Complete the Duo setup and verify your user with your phone's Duo app to log in.

9\. For subsequent logins, use the appropriate MFA method provided by the Duo app (such as retrieving a verification code, responding to push notifications, or using hard keys), and enter the required information during login.

[comment]: # ({/f4a7a665-dbf0ffa9})