Configure two-factor authentication

This topic describes how to enable two-factor authentication (2FA) and require it to access HCP Terraform and Terraform Enterprise interfaces.

Overview

Configuring 2FA protects user accounts and sensitive data. Complete the following steps to configure 2FA for your organization:

1. Each member of the organization must enable 2FA for their accounts.
2. The organization owner enables the organization setting to require 2FA to access HCP Terraform and Terraform Enterprise interfaces.

Additional configuration steps may be necessary for members who log into HCP Terraform and Terraform Enterprise using their HashiCorp Cloud Platform (HCP) credentials. Complete the following steps to use 2FA in your organizations.

Requirements

You must be an organization owner to require users within your organization to use 2FA.

You can configure 2FA on HCP Terraform or Terraform Enterprise configured for IPv4. The messaging service that sends 2FA messages does not support IPv6 addresses.

Enable 2FA on user accounts

1. Sign in to HCP Terraform or Terraform Enterprise.
2. Click the user icon in the upper right corner and choose Account Settings from the menu.
3. Click Two Factor Authentication in the sidebar and enable one of the following settings:

• Application
• SMS Only (Text Message). Note that you cannot use SMS when operating Terraform Enterprise in an IPv6-only network. Refer to Requirements.

1. Enter an SMS-enabled phone number. A phone number is optional when you enable Application.
2. Click Enable 2FA and complete the instructions to finish the configuration.
3. If you enabled ApplicationTerraform prompts you to scan a QR code to and provide the authentication code to enable the application.

After enabling 2FA, you can perform the following actions:

• Click Reveal codes to view single-use backup codes. Store the codes in a safe location so that you can use them to log in if necessary.
• Click Disable 2FA to disable 2FA.

Log in with 2FA enabled

After two-factor authentication has been successfully set-up you will need to enter the code from your TOTP-compliant application or from an SMS sent to your approved SMS-enabled phone number on login.

If necessary, you can also use a backup code by clicking Use a recovery code. You can only use each backup code to log in one time.

Require 2FA for all users

All organization owners must enable 2FA before you can require it for the organization.

1. Sign in to HCP Terraform or Terraform Enterprise.
2. Choose your organization and click Settings.
3. Click Authentication and click Require two-factor.

Require 2FA for HashiCorp Cloud Platform users

Some users in your organization may log into HCP Terraform using their HashiCorp Cloud Platform (HCP) credentials. Refer to Log in with a HashiCorp Cloud Platform account for additional information.

The required configuration for each organization member that logs in with their HCP credentials depends on their linked HCP identity:

• Email: Follow the instructions in the HashiCorp Cloud MFA docs.
• GitHub: Follow the instructions in the Configuring GitHub two-factor authentication docs.
• SSO: HCP Terraform does not support HCP SSO accounts.