Applicable to:
- Plesk for Linux
- Plesk for Windows
Question
- Is it possible to configure multi-factor authentication (MFA) to access Plesk?
- Is it possible to configure two-factor authentication (2FA) to access Plesk?
Answer
The two-factor authentication (2FA or TFA) scheme in Plesk is facilitated by the Multi-Factor Authentication (MFA) extension.
Since Plesk Obsidian 18.0.61, The 2FA authentication process via the Multi-Factor Authentication (MFA) extension for Plesk can now be configured in the profile settings for users of all levels (administrators, additional administrators, resellers, customers, and subscription users) and Plesk administrators can now make multi-factor authentication mandatory for all Plesk users on a server.
The general setup steps are the following:
-
Install the Multi-Factor Authentication (MFA) extension
-
Enable 2 Factor Authentication:
a. Go to Extensions > Multi-Factor Authentication and activate the checkbox Enable Multi-factor Authentication
b. Scan the QR code with an MFA application (for example, the Google Authenticator App)
c. Enter the verification code provided by the MFA app into the Verification code section
d. Press OK -
(Optional) You can enforce 2 Factor Authentication by adding the following to
panel.ini
[ext-mfa]
enforce = true
allowSkipEnforce = false
;learnMoreURL = 'url to article'Note: Default values are
enforce = false
andallowSkipEnforce = false
-
enforce: When enforce is set to true, users will be forced to enable 2FA in login, not being able to continue with Plesk administration until complete the 2FA enable steps:
-
allowSkipEnforce: When allowSkipEnforce is set to true, the enforcement can be skipped by clicking Skip for now in the Note within the Warning message:
-
learnMoreUrl: This option could be included to modify the destination URL of the "Learn more about two-factor authentication" link in the warning message.
Insert the URL into cuotes as below:learnMoreURL = 'https://example.com'
Or leave it commented out for default value
-
Note: The mobile application uses XML-RPC API requests to communicate with the Plesk server, you can enhance security for Plesk access by disabling the XML API entirely or limiting it to specific IP addresses by using the information in the article How to restrict Plesk XML API?
Additional information
Change Log for Plesk Obsidian 18.0.61
Why does Plesk enforces me to use two-factor authentication (2FA)?
Comments
3 comments
How to change 16 symbol secret key for google authenticator to a new one?
After disabling plugin and reenabling it, key is the same.
Just in case when device with otp generator was lost, compromised or whatever
It's pretty crazy that in 2024 Plesk still can't do enforced 2fa, AND can't even do any 2fa on sub accounts (webmaster, etc.).
The extension is not called MFA anymore in plesk. If you're looking like a maniac clicking around, install the Google Authenticator extension.
Please sign in to leave a comment.