Configuring the PEM server to use two-factor authentication v10

PEM supports two methods for 2FA:

  • Email authentication
  • Authenticator app (such as Google Authenticator)

To enable 2FA, you can copy these settings from the config.py file to the config_local.py file and modify the following parameters.

ParameterDescription
MFA_ENABLEDSet to true to enable the two-factor authentication. Default value is false.
MFA_FORCE_REGISTRATIONSet to true to ask the users to register forcefully for the two-factor authentication methods at login. Default value is false.
MFA_SUPPORTED_METHODSSet to email to use the email authentication method (send a one-time code by email) or authenticator to use the TOTP-based application authentication method.
MFA_EMAIL_SUBJECTSet to the subject of the email for email authentication. Default value is <APP_NAME> - Verification Code.

Mail server configuration

To use the email authentication method, you need to configure mail server settings.

PEM server can send an email using either the SMTP configurations saved in the PEM configuration or using Flask-Mail.

To send the email verification code using the internal SMTP configuration from the PEM configuration, set the parameter MAIL_USE_PEM_INTERNAL to True. If set to False, the following mail configuration is used to send the code on the user-specified email address:

  • MAIL_SERVER = 'localhost'
  • MAIL_PORT = 25
  • MAIL_USE_TLS = False
  • MAIL_USE_SSL = False
  • MAIL_USERNAME = None
  • MAIL_PASSWORD = None
  • MAIL_DEFAULT_SENDER = None

For more details about these configurations, see the Flask-Mail documentation.

Note

PEM SMTP alerts don't use this configuration.