TCC provides 2FA authentication for users. This can be enabled per 'realm', and each user needs his own key. There are two options in terms of 2FA, 'OATH' and 'Yubico'. We will only cover the OATH method.
Two steps are required to enable 2FA:
- Install a TOTP client on your phone or desktop
- Adding keys to users
- Enable 2FA at the affected realm
Step 1:
- Install a TOTP client, for example https://www.icewarp.nl/apps/authenticator/
- Generate a key for the user in question via: https://www.xanxys.net/totp/
Step 2:
- Go to 'Datacenter', 'Permissions' and then to 'Users'
- Double-click on the user for which you want to set the key
- Copy the 'Secret Key (hex string)' to the 'Key ID' field of the user
- Scan the generated QR code with the TOTP client and add the entry to your client
Step 3:
- Go to 'Datacenter', 'Permissions', 'Authentication'
- Double-click on the realm you want to edit, default 'pve'
- Choose 'OATH' at 'TFA'
- 2FA is now enabled. Note: Users without a Key can no longer log in!
