Request Demo
Features Use Cases About Documentation Contact Request Demo

Two-Factor Authentication

Add an extra layer of security to network authentication

Why 2FA?

Two-factor authentication requires users to prove their identity with something they know (password) and something they have (phone, hardware token). Even if a password is compromised, attackers can't get in without the second factor.

Warden supports several 2FA methods that work with RADIUS authentication - meaning your users can use 2FA for WiFi, VPN, and other network access.

Supported 2FA Methods

TOTP Apps

Time-based one-time passwords via apps like Google Authenticator, Microsoft Authenticator, Authy, or 1Password. Users enter a 6-digit code that changes every 30 seconds. Code is appended (or prepended) to the password.

No network needed Works offline Free
email

Email OTP

A 6-digit code is sent to the user's email address. Uses RADIUS Access-Challenge to prompt the user to enter the code after password verification. Great for users who can't use authenticator apps.

No app required Works on any device Needs email access

Push Notifications

Via external providers like Duo or Azure MFA. Users approve login requests with a tap on their phone. Warden chains to these providers via RADIUS.

Best user experience Phishing resistant Needs network

Hardware Tokens

TOTP-compatible hardware tokens like YubiKey (in TOTP mode) or RSA SecurID. Same 6-digit codes, but from a dedicated device.

No phone needed Very secure Device cost

How 2FA Works with RADIUS

Warden supports two different 2FA flows depending on the method type:

TOTP (Password + Code)

For TOTP authentication, users enter their password and 2FA code together in a single request. The code position is configurable:

Append (Most Common)

Password first, then code:

MyP@ssword123456 Where 123456 is the 2FA code

Prepend

Code first, then password:

123456MyP@ssword Some legacy systems prefer this

The code position is configurable at the policy level. Choose one and stick with it - users need to know what to expect.

Email OTP (Access-Challenge)

For Email OTP, Warden uses the RADIUS Access-Challenge flow:

  1. User enters username and password only
  2. Warden verifies the password and sends an email with a 6-digit code
  3. Warden sends an Access-Challenge back to the network device
  4. The device prompts the user for the code
  5. User enters the code from their email
  6. If valid, Warden grants access

Device compatibility: Not all network devices support Access-Challenge. Check your device's documentation. Most enterprise VPN clients and WiFi supplicants support it.

Multiple 2FA Methods

Policies can have multiple 2FA methods configured. When a user authenticates, Warden tries each method in priority order until one succeeds:

  1. User attempts authentication
  2. Warden checks the first 2FA method (e.g., TOTP)
  3. If it fails, Warden tries the next method (e.g., Email OTP)
  4. If any method succeeds, authentication passes
  5. If all methods fail, authentication is rejected

Example use case: Configure TOTP as the primary method and Email OTP as a backup. Users normally use their authenticator app, but if they lose their phone, they can fall back to email verification.

All methods are required: If any 2FA method is configured in a policy, users must successfully verify with at least one of them. There's no "optional" 2FA - if it's configured, it's enforced.

Setting Up TOTP

For Users

  1. Go to the user's profile in Warden
  2. Click Enable 2FA
  3. A QR code appears
  4. User scans the QR code with their authenticator app
  5. User enters a verification code to confirm setup

For Admins (Bulk Enable)

  1. Edit the user group
  2. Enable "Require 2FA"
  3. Users will be prompted to enroll on next login

Plan for recovery: What happens if users lose their phone? Keep backup codes, have a recovery process, or allow admins to reset 2FA. Don't let users get permanently locked out.

Using External MFA Providers

Warden can chain to external MFA providers like Duo or Azure MFA. The flow is:

  1. User sends credentials to network device
  2. Device sends RADIUS request to Warden
  3. Warden verifies password
  4. Warden forwards to external MFA provider
  5. Provider sends push notification to user's phone
  6. User approves
  7. Provider tells Warden success
  8. Warden tells device to grant access

Set up the external provider as a RADIUS identity provider in Warden, then include it in your policy's authentication chain.

Critical: Timeout Settings

Push-based 2FA requires much longer timeouts than typical RADIUS configurations. Users need time to:

  • Notice the push notification
  • Pull out their phone
  • Unlock it
  • Review and approve the request
2FA Method
Recommended Timeout
Why
TOTP (code)
30 seconds
Code is entered with password
Email OTP
60 seconds
Email delivery + user reads email
Push (Duo, Azure)
60-90 seconds
User needs time to respond
SMS (if used)
60 seconds
SMS delivery can be slow

The #1 cause of 2FA failures: Default timeouts are 5-10 seconds. That's not enough time for push notifications. Configure both Warden and your network devices for 60+ second timeouts when using push-based 2FA.

See our detailed timeout configuration guide for vendor-specific settings.

2FA Policies

You can configure 2FA requirements at multiple levels:

System Level

Default 2FA requirements for all users

Group Level

Override for specific user groups (e.g., require 2FA for admins)

Policy Level

Require 2FA for specific hosts or use cases (e.g., VPN access)

User Level

Individual user exemptions or requirements

Troubleshooting 2FA

"Invalid 2FA code"

  • Check device time - TOTP requires accurate clocks (within 30 seconds)
  • Make sure user is entering the current code, not an old one
  • Verify the code position (append vs prepend) matches config

Push notification never arrives

  • Check user's phone has internet connectivity
  • Verify the MFA app has notification permissions
  • Check the external provider's status page
  • Review Warden logs for errors from the provider

Authentication times out before user can respond

  • Increase Warden's timeout setting (60-90 seconds for push)
  • Increase the network device's RADIUS timeout
  • Set retries to 1 (multiple retries = multiple push notifications)

User can't enroll (no QR code)

  • Check that 2FA is enabled for their group or system-wide
  • Verify the user account exists and is enabled
  • Try generating a new secret if previous one was corrupted

Best Practices

  • Start with a pilot group - Roll out 2FA to IT staff first, then expand. Learn from their feedback.
  • Provide backup options - Backup codes, admin reset capability, or alternative verification methods.
  • Communicate clearly - Tell users what to expect, how to enter codes, and who to contact for help.
  • Consider exceptions carefully - Some devices (IoT, printers) can't do 2FA. Use separate SSIDs or VLANs for them.
  • Monitor enrollment - Track how many users have enrolled and follow up with those who haven't.

What's Next?

Back to Help Overview