Introduction to Two-Factor Authentication
    • Dark
      Light
    • PDF

    Introduction to Two-Factor Authentication

    • Dark
      Light
    • PDF

    Article summary

    Rocket.Chat offers various methods for two-factor authentication in a workspace. Refer to the Two-Factor Authentication guide for more details.

    To enable email two-factor authentication (2FA), ensure that SMTP is configured in your workspace. If you don't have the necessary permissions, contact your workspace administrator.

    When making requests to endpoints that require two-factor authentication, add the following headers to the request:

    • x-2fa-code: (string) The 2FA code.

    • x-2fa-method: (string) The desired method to check for the 2FA code, usually returned in the 2FA error (it can be email, totp, or password).

    If you attempt to send a request to certain endpoints without the appropriate 2FA headers, you receive an error of type totp-required. The error message includes a details object, that specifies the required 2FA method. It's useful for informing the user how to obtain their 2FA code.

    The parameters of the details object are as follows:

    • method: The required 2FA method for the user selected by the workspace.

    • codeGenerated: Used to inform if the code was generated or if there are tokens available already. It is specific to 2FA by Email.

    • codeCount: (optional) The number of available codes already sent via email. It is specific to 2FA by email.

    • codeExpires: (optional) A list of expiration dates of the tokens. It is specific to 2FA by email.

    • availableMethods: The list of available 2FA methods for the user's account.

    The following example shows a 2FA error:

    {
      "success": false,
      "error": "TOTP Required [totp-required]",
      "errorType": "totp-required",
      "details": {
        "method": "email",
        "codeGenerated": false,
        "codeCount": 1,
        "codeExpires": [
          "2020-01-02T13:06:42.408Z"
        ],
        "availableMethods": [
          "email"
        ]
      }
    }

    If the 2FA code is wrong, a totp-invalid response is returned:

    {
      "success": false,
      "error": "TOTP Invalid [totp-invalid]",
      "errorType": "totp-invalid",
      "details": {
        "method": "email"
      }
    }

    Handling 2FA method errors

    It's important to note the required TOTP method returned in the error response when making requests that require 2FA.

    • If the method is password, add the hashed password of the user as the X-2fa-Code header parameter.

    • If it's email, add the 2FA code sent via email as the X-2fa-Code header parameter.

    • If it's totp, add the code from your authenticator app as the X-2fa-Code header parameter.


    Was this article helpful?

    Changing your password will log you out immediately. Use the new password to log back in.
    First name must have atleast 2 characters. Numbers and special characters are not allowed.
    Last name must have atleast 1 characters. Numbers and special characters are not allowed.
    Enter a valid email
    Enter a valid password
    Your profile has been successfully updated.