Two factor authentication

This is how you can setup two factor authentication for editors.

The Access Control System

Please note: This requires a server version v5.0.2147 or later. To enable two factor autentication in the old edit UI, you must download these files and unzip them to: waf/edit/main. 

Two factor authentication is built-in to the system. Enable it in installation settings:



This will trigger a verification code in the login of the old edit UI and the new UI. Upon providing a valid username and password, the system will automatically send a verification code to the mobile or email stored for the user. The master user use the admin email and mobile set under installation settings. Here you can also specify the default from-email and from-mobile number for the message.

If you are locked out of the system after enabling it you can dissable it by the overriding the setting in web.config:

      <add key="WAF.TwoFactorAuthentication" value="false" />
      <add key="WAF.NoTwoFactorForMaster" value="true" />

By default not all licences will allow SMS messages. Contact us if you want to enable this in your license. 

There is also an option to let the system remember user devices, so that the user is only prompted for the verification code once on each device.


The default expiration time is 30 days, but you can override this in appSettings:

      <add key="WAF.TwoFactorAuthenticationDeviceMaxAge" value="30" />

A "device" is defined by a persisted key in the browser and the users remote address (IP).