Configuring multi-factor authentication

Multi-factor authentication is a type of authentication which requires a user’s identity to be verified by more than one method. This technique adds another layer of security for the sign-ins to the system. Kentico uses a combination of standard forms authentication with username and password and one other authentication factor.

Limitations for Kentico 10

The Kentico Authenticator application, which originally provided an out-of-the-box multi-factor authentication solution, is no longer available. You can implement your own customized solution with an additional authentication factor (email, SMS, etc.):

Newer Kentico versions provide an improved multi-factor authentication solution with general support for the Time-based One-time Password Algorithm (TOTP). We recommend upgrading to Kentico 11 or newer.

Security and limitations

The multi-factor authentication is:

  • Available only for the default forms authentication method.
  • Not compatible with the Autocomplete functionality.

For security reasons, it is recommended to set Maximum invalid sign-in attempts to a small value, for example 5. Because incorrectly submitted passcodes count as invalid sign-in attempts, a potential attacker will not be able to guess a valid passcode in the specified number of attempts.

If screen locking feature is enabled, entering passcode is also required when unlocking the screen.

The multi-factor authentication settings have a global effect. They cannot be configured for individual sites.

Enabling multi-factor authentication for only selected users

  1. Enable the multi-factor authentication in Settings -> Security & Membership -> Authentication by selecting the Enable multi-factor authentication option.
    • When you select this option, users will be able to choose if they want to use multi-factor authentication for signing in to your website. They can set this behavior when they register on the site through the Registration form web part.
  2. Set the Multi-factor authentication is required option on the Users application -> General tab of the selected users profiles.
    • Existing users with this option selected will be required to use multi-factor authentication for signing in to your websites.

Enabling multi-factor authentication for all users in the system

Keeping the administrator access

After you enable the multi-factor authentication globally, make sure that you do not lose the administrator access to the Kentico interface. The next time you sign in to the administration interface, do not forget to note down the Token ID for your account.

The system will not display the Token ID again. Therefore, if you do not note it down, you will lose access to the administration UI.

To enforce using of an additional security level for authenticating all users in the system:

  1. Enable the multi-factor authentication in Settings -> Security & Membership -> Authentication by selecting the Enable multi-factor authentication option.
  2. Select the Multi-factor authentication is required globally option.
    • All users will have to use multi-factor authentication for signing in to your websites.
    • The Multi-factor authentication is required option on the Users application -> General tab will now have no effect.

Recovering administrator access

If you enable multi-factor authentication globally and lose access to your administrator account (token ID is not displayed when signing in or you did not note it down), you can gain the access back by inserting the CMSAdminEmergencyReset key to the appSettings section of your web.config. For example:




<add key="CMSAdminEmergencyReset" value="admin;password;true" />


  • admin - this value specifies the user name of the new account.
  • password - this value specifies the password for the new account – you should change it to your own value.
  • The third parameter is optional and indicates whether you want to create a new user with the Global administrator privilege level.
  • The key will be automatically deleted after you gain access to the user interface.

Note: Disable the Display initialization token option when implementing your own custom multi-factor authentication solution. See Settings - Authentication.

Allowing users to enable or disable multi-factor authentication in their profiles

When you or new users enable the multi-factor authentication for their profiles, they will not be able to change this setting. If you want to allow them to disable the multi-factor authentication for their profiles:

  1. Open the Modules application.
  2. Edit Membership -> Classes tab -> edit User -> Alternative forms tab -> edit Edit profile -> Fields tab.
  3. Select UserMFRequired field in the list.
  4. Select Display field in the editing form check-box.

Users will now have an option to disable the multi-factor authentication.