About two-factor authentication
To enable two-factor authentication for yourself, permission to access Setup → My Info. To enable two-factor authentication for you organization, you must be an Administrator.
Two-factor authentication (2FA) is a security process in which a second level of authentication is added to the account login credentials. Both factors of authentication must be used and must be correct in order to establish the person's identity beyond doubt. The two factors may include:
- Something that the user possesses, such as a token, a card, a key, etc.
- Something that the user knows, such as a username, password, PIN, etc.
- Something that is inseparable from the user, such as a fingerprint, iris, voice, etc.
In Datto RMM , 2FA requires login credentials (username and password) and a one-time password (OTP) issued by an OTP token application.
- To enable two-factor authentication for yourself, you must have at least View permission for the Setup → My Info tab.
- A 2FA-token-generating application such as Google Authenticator (Android & iOS), Authy (Android & iOS), or HDE OTP (iOS) must be installed on your smartphone or tablet.
- You should have a valid phone number set up that can receive SMS messages. Refer to Edit your user details. The phone number will be used for recovery purposes or when disabling 2FA on a single user account when logging in.
Ensure that you use the correct +XX country code format.
For example, a UK phone number entered as +447407123456 uses the correct format and will receive codes. The same number entered as 00447407123456 uses an incorrect format and will not receive codes.
We strongly recommend that you assign Administrator access to more than one user in the Datto RMM account. This is to ensure recovery, should there be an issue authenticating during the initial configuration or if the authenticating device encounters a problem or is lost.
Permission to access Setup → My Info
- Click Setup.
- Click the My Info tab.
- Scroll down to the Security Settings section and click Enable Two-Factor Authentication.
- The Enable Two-Factor Authentication window will open. Scan the QR code with your 2FA-token-generating application.
In case you do not have access to an authenticator, you can also have the token emailed to you by checking the check box at the bottom of the Enable Two-Factor Authentication window. Note that this setting is remembered and will be applied each time you attempt to log in to Datto RMM .
- Enter the token generated by your app or received via email into the box in the Enable Two-Factor Authentication window in the Web Portal.
- Click Save or hit Enter to save the token.
- You will receive a message confirming that the TOTP (Time-Based One-Time Password) token has been saved successfully.
- Click OK.
- To confirm if 2FA has been set up correctly, log out of the Web Portal and log back in. Once you have typed in your credentials, you will see a page asking for the one-time password (OTP) token that your app will generate or that you will receive via email if you set it up that way. Type in the token and click Log In.
Permission to access Setup → My Info
You can disable two-factor authentication for yourself in two ways: either when already logged in or while logging in to the Web Portal. The two methods are outlined below.
You are already logged in to the Web Portal:
Alternatively, navigate to Users → click on your username and click the Disable hyperlink next to Two-Factor Authentication.
- A message will appear confirming that the TOTP token has been disabled.
- In the case where an Administrator had requested two-factor authentication for all users in Account Settings, the option to disable two-factor authentication for individual users will not be possible.
In order to progress, an Administrator must either switch off 2FA for the whole account first by following the steps outlined in Disable 2FA for all users, or reset 2FA status for one or more users by following the steps outlined in Reset 2FA for one or more users.
You are about to log in to the Web Portal:
You have the option to disable 2FA when logging in to the Web Portal. This requires that a valid phone number, which is able to receive SMS messages, is set up for your user account as outlined in the Requirements section.
- Open the Datto RMM login page.
- Enter your username and password.
- Click on Log In.
- Click on Disable Two-Factor One-Time Password.
- If you have a phone number on file, a disable code will be sent to that number. Once you have received the code, enter it on the Web Portal and click Disable Two-Factor Authentication.
If you did not set up a phone number in your user account previously, you will not be able to receive the disable code. Contact a user with Administrator access for further assistance.
- Access to the account will be granted once a valid disable code has been entered.
The disable code is only valid for 10 minutes and another code will not be sent within that time frame.
- In the case where an Administrator had requested two-factor authentication for all users in Account Settings, you will still be able to log in after disabling 2FA from the login page, but you will not be able to progress until you enable 2FA again per the Administrator's account requirements.
To be able to turn on two-factor authentication for all users, an Administrator needs to enable it for themselves first. Refer to Enable 2FA for yourself.
Two-factor authentication can be enforced as a mandatory requirement for all users in the account. To enable this, you will need to have Administrator access in Datto RMM .
- Navigate to Setup → Account Settings.
- Scroll down to the Access Control section and switch on the Require Two-Factor Authentication option.
- Once this has been enabled, all users will be forced to enable 2FA for their respective logins. Refer to Enable 2FA for yourself.
The user must have already enabled 2FA for their account.
You can reset 2FA for a user's account. The user will be required to reconfigure 2FA the next time they log in. This is done in one of two ways:
For one specific user, within the User Details page:
- Navigate to Setup → Users.
- Click the username for the specific user.
- Click the Disable link next to Two-Factor Authentication within the page.
- Observe the message stating that 2FA has been disabled (reset) for the user.
For one or more users, within the Users page:
|Need to troubleshoot this? Open the Datto Knowledge Base.|
|Want to talk about it? Head on over to our Community Forum!|
|Forward this topic to others.|
|Provide feedback for the Documentation team.|