MFA Overview

Multi-factor authentication (MFA) adds a second factor to your Rack Gateway account. The web UI supports TOTP and WebAuthn, plus backup codes for recovery.

Supported Methods

TOTP

Authenticator apps that generate 6-digit codes.

Set up TOTP →

WebAuthn

Security keys and passkeys (YubiKey, Touch ID, Windows Hello).

Set up WebAuthn →

Backup Codes

One-time recovery codes generated during enrollment.

Backup codes →

Note

YubiKey OTP support exists at the API level when Yubico credentials are configured, but the current web UI only exposes TOTP and WebAuthn enrollment.

MFA Enrollment

First-Time Setup

If MFA is required by your organization, you will be redirected to Account Security after login.

Add MFA Later

1. Open the web UI
2. Go to Account Security
3. Click Enable MFA
4. Choose Authenticator app or Passkey/security key

Step-Up Authentication

Some sensitive actions require MFA verification even with an active session. Examples include:

• Creating or editing API tokens
• Approving deploy requests
• Updating user roles
• Changing security-related settings

The step-up window defaults to 10 minutes and is configurable by admins.

Trusted Devices

You can trust a device during verification or from Account Security → Trusted Devices. Trusted devices skip MFA prompts until their TTL expires (default 30 days).

Backup Codes

Backup codes are generated during enrollment and can be regenerated later. Codes are only shown at generation time, so store them securely.

CLI MFA

The CLI supports MFA verification:

rack-gateway deploy -a myapp --mfa-code 123456
rack-gateway deploy -a myapp --mfa-method webauthn

If you use WebAuthn with the CLI, mark the method as CLI Compatible in Account Security.

Administrator Controls

Admins configure global MFA settings in Settings:

• Require MFA for all users
• Step-up window (minutes)
• Trusted device TTL (days)