Skip to main content

Two-Factor Authentication (2FA) in OneFirewall

Overview

OneFirewall supports Two-Factor Authentication (2FA) across both on-premises and cloud deployments.
2FA adds an additional layer of security to user authentication by requiring a second verification factor in addition to the password. This feature is available for:
  • OneFirewall Cloud instances
  • OneFirewall On-Prem installations
  • Personal user accounts

Why 2FA Matters

Passwords alone are no longer sufficient to protect access to critical security infrastructure.
They can be:
  • Phished
  • Reused across services
  • Leaked via third-party breaches
  • Brute-forced or guessed
2FA significantly reduces the risk of unauthorized access, even if credentials are compromised.

Security Value

By enabling 2FA, OneFirewall ensures:
  • Protection against credential theft
    Access requires something the user knows (password) and something the user has (second factor).
  • Reduced blast radius
    Compromised passwords alone cannot be used to access the platform.
  • Stronger access control
    Especially critical for administrative, SOC, and security engineering roles.
  • Alignment with security best practices
    2FA is a baseline requirement in most security frameworks and compliance standards.

Operational Benefits

Enabling 2FA provides tangible operational advantages:
  • Improved account security for administrators and users
  • Lower incident response overhead caused by account compromise
  • Higher trust in audit trails and user activity logs
  • Consistent security posture across cloud and on-prem environments

Supported Environments

2FA is supported consistently across:
  • ✅ OneFirewall Cloud
  • ✅ OneFirewall On-Prem
  • ✅ Hybrid deployments
This ensures the same level of protection regardless of where OneFirewall is deployed.

Service Accounts and OTP

Service Accounts are designed for automation, integrations, and non-interactive access.
  • Service Accounts can authenticate to the platform without OTP
  • OTP challenges are not required for Service Accounts
  • This ensures:
    • Reliable automation
    • Non-interactive API and system access
    • No disruption to integrations or CI/CD pipelines
⚠️ Service Accounts should be tightly scoped and protected using strong credentials and network controls.

OTP Lockout Policy

To protect against brute-force and credential-stuffing attacks, OneFirewall enforces an OTP lockout policy:
  • After 10 consecutive unsuccessful OTP attempts, the account is automatically locked
  • While locked:
    • Login is denied, even with correct credentials
  • An administrator must manually reset the OTP status via the OneFirewall portal to restore access
This mechanism prevents repeated OTP abuse and ensures administrative oversight in recovery scenarios.

Recommendation: Enable 2FA on Personal Accounts

While 2FA can be enforced at the organizational level, OneFirewall strongly recommends enabling 2FA on all personal accounts, especially for:
  • Administrators
  • Security teams
  • Users with access to logs, rules, or policy configuration
  • Users with API or integration permissions
Enabling 2FA on personal accounts:
  • Protects individual credentials
  • Prevents lateral movement within the platform
  • Reduces overall organizational risk

Summary

  • OneFirewall supports 2FA on both cloud and on-prem instances
  • Service Accounts can access the platform without OTP
  • OTP is locked after 10 failed attempts and requires admin reset
  • 2FA significantly improves protection against unauthorized access
  • Enabling 2FA on personal accounts is highly recommended
Security starts with access. Enabling 2FA is one of the simplest and most effective steps you can take to protect your OneFirewall environment.