Managing Two-Factor Authentication
Enabling two-factor user authentication (2FA) on your TeamCity server grants it an extra level of security. Users will have to verify their identity in two steps: by providing their regular credentials plus by submitting disposable keys, generated on their personal mobile devices.
To select the required 2FA authentication mode, navigate to the Administration | Authentication page and scroll down to the General settings section. Note that only system administrators can modify authentication settings.
2FA Mode | Behavior |
|---|---|
Optional | Lets users decide whether they want to enable 2FA for their accounts. This is the default setting. |
Mandatory | Requires all users to set up 2FA within one week. The grace period starts from the moment you enable the "Mandatory" mode (for existing users), or the moment a user registers (for new users). |
Disabled | Users cannot set up 2FA. |
Critical Settings Protection
If the two-factor authentication is enabled, users who pass the 2FA checkup have one hour to modify critical user settings. Once this period expires, users must pass a new 2FA verification before they can proceed with these edits.
Actions that are blocked until a user passes another verification include:
Disabling 2FA in user profile settings
Changing user password and email
Generating access tokens
This behavior adds an extra layer of protection that prevents attackers who gain access to a user's account from modifying user settings and inflicting more damage.