Two-Factor Authentication

Prev Next

Enhance your account security with Rocket.Chat's two-factor authentication (2FA). This robust feature requires you to provide both your password and a unique code, ensuring that only you can access your account.

Sources for two-factor code

Users have a variety of sources for generating the two-factor code:

  1. Authenticator app: Users can configure apps like Google Authenticator or Authy to generate the 2FA code.

  2. Email: Users with verified emails can receive the 2FA code via email.

  3. Password: Although not a two-factor method in itself, the password serves as a fallback for cases where the user has no other 2FA option configured. However, this password fallback is disabled for the login process to prevent the system from requiring the password twice when the user configures no other 2FA method.

API calls and two-factor authentication

Any Realtime API or REST call may require 2FA. Therefore, it's recommended that you create a wrapper for your calls to handle the errors and execute the request again, passing the required info.

For more detailed information on how 2FA works with the Realtime API and REST API, you can visit the respective pages on the Rocket.Chat developer documentation.

Trusted clients

By default, after a 2FA validation, the client (identified by a hash of the user-agent and IP address) will be trusted for 5 minutes. This duration can be adjusted in the workspace administration settings. Some methods may override this feature, requiring 2FA for every API request to that method or endpoint. For example, the methods for disabling 2FA by email and logging in always require 2FA. We use the error code totp-required for compatibility purposes; however, this does not mean the error is related only to TOTP. As a result, we provide additional details to identify the required action.

Personal Access Tokens

Personal Access Tokens serve a vital function in the Rocket.Chat's 2FA system. Users can generate these tokens, which do not expire and can bypass the 2FA requirement. This is especially useful for users who need to maintain long-term integrations or automated processes with a Rocket.Chat account. However, keeping these tokens secure and confidential is crucial, as a compromised token could grant unrestricted access to the user's account.

In summary, Rocket.Chat's 2FA feature and Personal Access Tokens strike a balance between security and convenience. They provide robust protection for user accounts while enabling seamless integrations and interactions with other applications and services.