> ## Documentation Index > Fetch the complete documentation index at: https://docs.onefirewall.com/llms.txt > Use this file to discover all available pages before exploring further. # Release: v2026-01-16 > Two-Factor Authentication (2FA) in OneFirewall # Two-Factor Authentication (2FA) in OneFirewall ## Overview OneFirewall supports **Two-Factor Authentication (2FA)** across both **on-premises** and **cloud** deployments.\ 2FA adds an additional layer of security to user authentication by requiring a second verification factor in addition to the password. This feature is available for: * **OneFirewall Cloud instances** * **OneFirewall On-Prem installations** * **Personal user accounts** *** ## Why 2FA Matters Passwords alone are no longer sufficient to protect access to critical security infrastructure.\ They can be: * Phished * Reused across services * Leaked via third-party breaches * Brute-forced or guessed 2FA significantly reduces the risk of unauthorized access, even if credentials are compromised. *** ## Security Value By enabling 2FA, OneFirewall ensures: * **Protection against credential theft**\ Access requires something the user *knows* (password) and something the user *has* (second factor). * **Reduced blast radius**\ Compromised passwords alone cannot be used to access the platform. * **Stronger access control**\ Especially critical for administrative, SOC, and security engineering roles. * **Alignment with security best practices**\ 2FA is a baseline requirement in most security frameworks and compliance standards. *** ## Operational Benefits Enabling 2FA provides tangible operational advantages: * **Improved account security** for administrators and users * **Lower incident response overhead** caused by account compromise * **Higher trust in audit trails** and user activity logs * **Consistent security posture** across cloud and on-prem environments *** ## Supported Environments 2FA is supported consistently across: * ✅ OneFirewall Cloud * ✅ OneFirewall On-Prem * ✅ Hybrid deployments This ensures the same level of protection regardless of where OneFirewall is deployed. *** ## Service Accounts and OTP **Service Accounts** are designed for automation, integrations, and non-interactive access. * Service Accounts **can authenticate to the platform without OTP** * OTP challenges are **not required** for Service Accounts * This ensures: * Reliable automation * Non-interactive API and system access * No disruption to integrations or CI/CD pipelines > ⚠️ Service Accounts should be tightly scoped and protected using strong credentials and network controls. *** ## OTP Lockout Policy To protect against brute-force and credential-stuffing attacks, OneFirewall enforces an **OTP lockout policy**: * After **10 consecutive unsuccessful OTP attempts**, the account is **automatically locked** * While locked: * Login is denied, even with correct credentials * An **administrator must manually reset the OTP status** via the OneFirewall portal to restore access This mechanism prevents repeated OTP abuse and ensures administrative oversight in recovery scenarios. *** ## Recommendation: Enable 2FA on Personal Accounts While 2FA can be enforced at the organizational level, **OneFirewall strongly recommends enabling 2FA on all personal accounts**, especially for: * Administrators * Security teams * Users with access to logs, rules, or policy configuration * Users with API or integration permissions Enabling 2FA on personal accounts: * Protects individual credentials * Prevents lateral movement within the platform * Reduces overall organizational risk *** ## Summary * OneFirewall supports **2FA on both cloud and on-prem instances** * Service Accounts can access the platform **without OTP** * OTP is **locked after 10 failed attempts** and requires **admin reset** * 2FA significantly improves protection against unauthorized access * **Enabling 2FA on personal accounts is highly recommended** > Security starts with access. Enabling 2FA is one of the simplest and most effective steps you can take to protect your OneFirewall environment.