Two-Factor Authentication (2FA)¶
Two-Factor Authentication setup and usage guide.
Overview¶
Faraday supports Two-Factor Authentication (2FA) using TOTP (Time-based One-Time Password, RFC 6238). When enabled, users must provide both their password and a time-based code from an authenticator app to log in.
Key Characteristics¶
| Feature | Detail |
|---|---|
| Protocol | TOTP (RFC 6238) |
| Configuration method | Web UI only (per-user) |
| Scope | Individual user accounts |
| Enforcement | Opt-in (users enable 2FA for their own accounts) |
| Compatible with | Local, LDAP, and SAML user accounts |
Supported Authenticator Apps¶
Any TOTP-compatible authenticator app works with Faraday. Tested applications include:
| App | Platform | Link |
|---|---|---|
| Google Authenticator | Android | Play Store |
| Google Authenticator | iOS | App Store |
| Authy | Android | Play Store |
| Authy | iOS | authy.com |
| OTP Authenticator | Android (Open Source) | GitHub |
| Microsoft Authenticator | Android / iOS | App stores |
| 1Password | All platforms | Built-in TOTP support |
Enabling 2FA¶
Step 1: Navigate to Account Settings¶
- Log in to the Faraday web interface.
- Click the user menu (top-right corner of the screen).
- Select Preference
- Click the Account section on the left panel.
Step 2: Enable 2FA¶
- Toggle the 2FA switch to enable.
- Faraday displays a QR code containing your TOTP secret.
Step 3: Scan the QR Code¶
- Open your authenticator app.
- Tap Add account (or the
+button). - Select Scan QR code.
- Point your device camera at the QR code displayed by Faraday.
- The authenticator app registers the account and begins generating 6-digit codes.
Step 4: Confirm Enrollment¶
- Enter the current 6-digit code from your authenticator app into Faraday.
- Faraday verifies the code and activates 2FA for your account.
Logging In with 2FA¶
Once 2FA is enabled, the login process requires two steps:
- Enter credentials — Type your username and password as usual.
- Enter TOTP code — Faraday prompts for the 6-digit code from your authenticator app. Enter the current code to complete sign-in.
Disabling 2FA¶
- Log in to Faraday (you will need your current authenticator code).
- Navigate to Account section into Preference Menu.
- Toggle the 2FA switch to disable.
2FA States¶
Faraday tracks 2FA enrollment using three internal states:
| State | Meaning |
|---|---|
disabled |
2FA is not configured for this user |
requested |
2FA enrollment initiated; QR code shown, awaiting confirmation |
confirmed |
2FA is active; TOTP code required at login |
Data Model¶
2FA uses the following fields on the User model:
| Field | Type | Description |
|---|---|---|
otp_secret |
String(32) | Base32-encoded TOTP secret key (null when 2FA disabled) |
state_otp |
Enum | Current 2FA state: disabled, requested, or confirmed |
The TOTP secret is generated server-side using the PyOTP library and stored
in the faraday_user database table.
Time Synchronization Requirement¶
Time Must Be Synchronized
TOTP codes are time-dependent. The clock on both the Faraday server and the user's device must be synchronized. A drift of more than 30 seconds can cause codes to be rejected.
Verifying Time Synchronization¶
On the Faraday server:
# Check current time and NTP sync status
timedatectl status
If NTP is not active:
# Enable NTP synchronization
sudo timedatectl set-ntp true
On mobile devices: - Android: Settings > System > Date & Time > enable "Use network-provided time"
- iOS: Settings > General > Date & Time > enable "Set Automatically"
Troubleshooting¶
TOTP codes are always rejected¶
| Possible Cause | Solution |
|---|---|
| Time drift between server and device | Synchronize both clocks via NTP (see above) |
| Wrong account in authenticator | Remove and re-scan the QR code |
| Code expired | Wait for the next 30-second cycle and try the fresh code |
Locked out of account (lost authenticator)¶
If a user loses access to their authenticator device, an administrator can reset their 2FA via direct database access:
-- Run on the Faraday PostgreSQL database
UPDATE faraday_user
SET state_otp = 'disabled', otp_secret = NULL
WHERE username = 'locked_out_user';
After resetting, the user can log in with password only and re-enable 2FA.
Admin-Only Recovery
There is no self-service 2FA recovery mechanism in Faraday. Only database administrators can reset a user's 2FA. Users should back up their TOTP secret or use an authenticator app with cloud backup (e.g., Authy).
2FA enrollment shows "requested" but never completes¶
The user started enrollment but did not confirm with a valid code:
- The user should navigate back to Preference > Account > Two Factor Authentication.
- Re-scan the QR code and enter a valid TOTP code to complete enrollment.
- If the QR code is no longer displayed, an admin can reset the state (see above) and the user can restart enrollment.
Security Recommendations¶
- Encourage all users to enable 2FA — Especially administrators and pentester-role users with access to sensitive vulnerability data.
- Use an authenticator with backup — Apps like Authy support cloud backup of TOTP secrets, reducing the risk of lockout.
- Keep server time synchronized — Ensure NTP is enabled on the Faraday server to prevent authentication failures.
- Document the recovery process — Ensure your team knows how to reset 2FA for locked-out users via the database.