Skip to content
PentestPad Docs PentestPad Docs Docs

Enforcing 2FA

Two-Factor Authentication (2FA), also known as Multi-Factor Authentication (MFA), adds an extra layer of security to user accounts by requiring a second form of verification beyond just a password. This significantly reduces the risk of unauthorized access even if passwords are compromised.

Enforcing 2FA Settings

Section titled “Enforcing 2FA Settings”
  1. Log in to PentestPad with an administrator account
  2. Navigate to the sidebar menu
  3. Click on Administration
  4. Select General tag
  5. Locate Enforce users to set up multi factor authentication settings

Enabling System-Wide 2FA

Section titled “Enabling System-Wide 2FA”

To require 2FA for users:

  1. Navigate to Administration > General tag
  2. Toggle Enforce users to set up multi factor authentication to enabled
  3. Click Save Settings

User’s next login

Section titled “User’s next login”
  • Users can log in normally without 2FA
  • System forces user to set 2FA before proceeding

How Users Enable 2FA

Section titled “How Users Enable 2FA”

When 2FA is required or enabled by choice, users follow these steps:

  1. Log in with username and password
  2. System displays prompt: “Two-Factor Authentication Required”
  3. User sees QR code and setup instructions
  4. User opens authenticator app on their mobile device
  5. User scans QR code with authenticator app
  6. App generates a 6-digit verification code
  7. User enters verification code in PentestPad
  8. System displays backup codes (10 one-time codes)
  9. User saves backup codes in secure location
  10. Setup complete - 2FA is now active

Alternative Setup: Manual Entry

Section titled “Alternative Setup: Manual Entry”

If users cannot scan the QR code:

  1. Click “Can’t scan the QR code?”
  2. System displays secret key (e.g., JBSWY3DPEHPK3PXP)
  3. User manually enters this key in authenticator app
  4. Complete verification as normal

Supported Authenticator Apps

Section titled “Supported Authenticator Apps”

PentestPad supports TOTP (Time-based One-Time Password) compatible applications:

Section titled “Recommended Apps”

Google Authenticator

  • Platforms: iOS, Android
  • Features: Simple, reliable, free
  • Best for: Basic 2FA needs

Microsoft Authenticator

  • Platforms: iOS, Android
  • Features: Backup, multi-device sync, passwordless login
  • Best for: Microsoft ecosystem users

Authy

  • Platforms: iOS, Android, Desktop, Chrome
  • Features: Cloud backup, multi-device sync, encrypted backups
  • Best for: Users who want desktop access

1Password

  • Platforms: Cross-platform
  • Features: Integrated password + TOTP management, secure sharing
  • Best for: Teams using password managers

LastPass Authenticator

  • Platforms: iOS, Android
  • Features: One-tap verification, backup
  • Best for: LastPass users

Any TOTP App Works

Section titled “Any TOTP App Works”

PentestPad uses the standard TOTP protocol (RFC 6238), so any compatible authenticator application will work.

Backup Codes

Section titled “Backup Codes”

Understanding Backup Codes

Section titled “Understanding Backup Codes”

Backup codes are one-time use recovery codes generated during 2FA setup:

Characteristics:

  • Typically 10 codes provided at setup
  • Each code can only be used once
  • 8-10 characters long
  • Can be used instead of authenticator app
  • Remain valid until used or regenerated

When to Use Backup Codes

Section titled “When to Use Backup Codes”

Use backup codes when:

  • Lost or broken phone with authenticator app
  • Authenticator app not working or corrupted
  • Device not available (traveling, etc.)
  • Need emergency access to account
  • Switching to a new phone

How to Use a Backup Code

Section titled “How to Use a Backup Code”
  1. Navigate to PentestPad login page
  2. Enter username and password
  3. When prompted for 2FA code, click “Use backup code”
  4. Enter one of your saved backup codes
  5. Log in successfully
  6. Immediately reconfigure 2FA in account settings

User Self-Service Reset

Section titled “User Self-Service Reset”

Users can reset their own 2FA using backup codes (see Backup Codes section above).

Troubleshooting Common Issues

Section titled “Troubleshooting Common Issues”

User Cannot Scan QR Code

Section titled “User Cannot Scan QR Code”

Solutions:

  1. Provide manual entry option - show secret key
  2. Check camera permissions on mobile device
  3. Try different authenticator app
  4. Ensure good lighting when scanning
  5. Move phone closer/farther from screen

Time Sync Issues

Section titled “Time Sync Issues”

Problem: Codes not working even though entered correctly

Solution:

  1. Verify device time is accurate (not off by minutes)
  2. Enable automatic time sync on device:
    • iOS: Settings > General > Date & Time > Set Automatically
    • Android: Settings > System > Date & time > Automatic
  3. Check timezone is correct
  4. Try waiting for next code cycle (codes refresh every 30 seconds)

Codes Not Accepted

Section titled “Codes Not Accepted”

Troubleshooting steps:

  1. Verify correct time on device
  2. Check for typos - codes are case-sensitive
  3. Ensure using code from correct account in authenticator
  4. Wait for code to refresh (they expire quickly)
  5. Check if Caps Lock is on
  6. Try backup codes if codes consistently fail