Documentation
Solutions Guide

Multi-Factor Authentication

Configure strong authentication with WebAuthn, hardware keys, and TOTP. Protect your infrastructure from credential theft and phishing.

Estimated time: 15 minutes

Authentication Methods

WebAuthn/Passkeys

Touch ID, Face ID, Windows Hello - phishing resistant

Hardware Keys

YubiKey, Titan Key, other FIDO2 security keys

TOTP Apps

Google Authenticator, Authy, 1Password

Adaptive MFA

Risk-based authentication that adjusts to context

Configuration Steps

1

Enable MFA in Auth Service

Configure the authentication settings to require MFA.

# /etc/tigeraccess/config.yaml
auth_service:
  enabled: true

  authentication:
    type: local  # or oidc, saml
    second_factor: on  # 'on', 'optional', 'otp', 'webauthn'

    webauthn:
      rp_id: access.company.com

    # Hardware key requirements
    u2f:
      app_id: https://access.company.com
2

Configure WebAuthn/Passkeys

Enable passwordless authentication with biometrics.

tacctl create -f - <<EOF
kind: authentication_preference
metadata:
  name: default
spec:
  second_factor: webauthn
  webauthn:
    allow_passwordless: true
    attestation: indirect
    authenticator_attachment: platform  # or 'cross-platform'
    resident_key: preferred
    user_verification: required
EOF
3

Set Up Hardware Key Support

Configure YubiKey, Titan, and other FIDO2 keys.

tacctl create -f - <<EOF
kind: authentication_preference
metadata:
  name: high-security
spec:
  second_factor: webauthn
  webauthn:
    allow_passwordless: false
    authenticator_attachment: cross-platform
    user_verification: required

  # Require hardware keys for specific roles
  required_for_roles:
    - admin
    - security-team
EOF
4

Configure TOTP Fallback

Enable TOTP apps as a fallback option.

tacctl create -f - <<EOF
kind: authentication_preference
metadata:
  name: with-totp-fallback
spec:
  second_factor: on
  allowed_methods:
    - webauthn
    - totp

  totp:
    algorithm: SHA256
    digits: 6
    period: 30
EOF
5

Register MFA Device

Users register their MFA devices during login.

# Register a new MFA device
tac mfa add

# List registered devices
tac mfa ls

# Remove a device
tac mfa rm --name="YubiKey 5"

# Test MFA
tac login --mfa-test

Adaptive MFA Configuration

Context-Aware Authentication

# Adaptive MFA configuration
kind: role
metadata:
  name: adaptive-access
spec:
  options:
    # MFA requirements based on context
    require_session_mfa: true

    # Lock sessions to client IP
    pin_source_ip: true

    # Maximum session duration
    max_session_ttl: 8h

    # Device trust requirements
    device_trust_mode: required

  # Per-resource MFA requirements
  allow:
    node_labels:
      env: production
    require_mfa_per_session: true

  allow:
    node_labels:
      env: development
    require_mfa_per_session: false

Role-Based MFA Requirements

Require Hardware Keys for Admins

# Role-based MFA requirements
kind: role
metadata:
  name: admin
spec:
  options:
    # Require hardware key for admins
    second_factor: hardware
    webauthn:
      authenticator_attachment: cross-platform

    # Shorter session TTL for admins
    max_session_ttl: 4h

    # Re-authenticate for sensitive operations
    mfa_verify_on:
      - create_session
      - approve_access_request
      - modify_role

MFA Enabled

With MFA configured, your organization is protected by:

  • Phishing-resistant WebAuthn authentication
  • Hardware key support for high-security roles
  • Adaptive MFA based on risk context
  • Compliance with SOC 2, HIPAA, and PCI DSS

Related Guides

Zero Trust Security

Implement zero trust architecture

Just-in-Time Access

Time-bound access with approvals

Session Recording

Audit and compliance