Knowledge Base

Is it possible to configure multi-factor authentication (MFA) to access Plesk?

Question

Is it possible to configure multi-factor authentication (MFA) to access Plesk?
Is it possible to configure two-factor authentication (2FA) to access Plesk?

Answer

The two-factor authentication (2FA or TFA) scheme in Plesk is facilitated by the Multi-Factor Authentication (MFA) extension.

Since Plesk Obsidian 18.0.61, The 2FA authentication process via the Multi-Factor Authentication (MFA) extension for Plesk can now be configured in the profile settings for users of all levels (administrators, additional administrators, resellers, customers, and subscription users) and Plesk administrators can now make multi-factor authentication mandatory for all Plesk users on a server.

The general setup steps are the following:

Log into Plesk
Install the Multi-Factor Authentication (MFA) extension
Enable 2 Factor Authentication:
a. Go to Extensions > Multi-Factor Authentication and activate the checkbox Enable Multi-factor Authentication
b. Scan the QR code with an MFA application (for example, the Google Authenticator App)
c. Enter the verification code provided by the MFA app into the Verification code section
d. Press OK
(Optional) You can enforce 2 Factor Authentication by adding the following to panel.ini

[ext-mfa]
enforce = true
allowSkipEnforce = false
;learnMoreURL = 'url to article'

Note: Default values are enforce = false and allowSkipEnforce = false
- enforce: When enforce is set to true, users will be forced to enable 2FA in login, not being able to continue with Plesk administration until complete the 2FA enable steps:
- allowSkipEnforce: When allowSkipEnforce is set to true, the enforcement can be skipped by clicking Skip for now in the Note within the Warning message:
- learnMoreUrl: This option could be included to modify the destination URL of the "Learn more about two-factor authentication" link in the warning message.
  Insert the URL into cuotes as below:
  
  learnMoreURL = 'https://example.com'
  
  Or leave it commented out for default value

Note: The mobile application uses XML-RPC API requests to communicate with the Plesk server, you can enhance security for Plesk access by disabling the XML API entirely or limiting it to specific IP addresses by using the information in the article How to restrict Plesk XML API?