Knowledge Base

Is it possible to configure multi-factor authentication (MFA) to access Plesk?

 
18 0 61change logextensionsgogoogle

Question

  • Is it possible to configure multi-factor authentication (MFA) to access Plesk?
  • Is it possible to configure two-factor authentication (2FA) to access Plesk?

Answer

The two-factor authentication (2FA or TFA) scheme in Plesk is facilitated by the Multi-Factor Authentication (MFA) extension.

Since Plesk Obsidian 18.0.61, The 2FA authentication process via the Multi-Factor Authentication (MFA) extension for Plesk can now be configured in the profile settings for users of all levels (administrators, additional administrators, resellers, customers, and subscription users) and Plesk administrators can now make multi-factor authentication mandatory for all Plesk users on a server.

The general setup steps are the following:

  1. Log into Plesk

  2. Install the Multi-Factor Authentication (MFA) extension

  3. Enable 2 Factor Authentication:
    a. Go to Extensions > Multi-Factor Authentication and activate the checkbox Enable Multi-factor Authentication
    b. Scan the QR code with an MFA application (for example, the Google Authenticator App)
    c. Enter the verification code provided by the MFA app into the Verification code section
    d. Press OK

  4. (Optional) You can enforce 2 Factor Authentication by adding the following to panel.ini

    [ext-mfa]
    enforce = true
    allowSkipEnforce = false
    ;learnMoreURL = 'url to article'

    Note: Default values are enforce = false and allowSkipEnforce = false

    • enforce: When enforce is set to true, users will be forced to enable 2FA in login, not being able to continue with Plesk administration until complete the 2FA enable steps:

    • allowSkipEnforce: When allowSkipEnforce is set to true, the enforcement can be skipped by clicking Skip for now in the Note within the Warning message:

    • learnMoreUrl: This option could be included to modify the destination URL of the "Learn more about two-factor authentication" link in the warning message.
      Insert the URL into cuotes as below:

      learnMoreURL = 'https://example.com'

      Or leave it commented out for default value

Note: The mobile application uses XML-RPC API requests to communicate with the Plesk server, you can enhance security for Plesk access by disabling the XML API entirely or limiting it to specific IP addresses by using the information in the article How to restrict Plesk XML API?

Additional information

Change Log for Plesk Obsidian 18.0.61

Why does Plesk enforces me to use two-factor authentication (2FA)?

Read the full article
Related Posts
Knowledge Base

Hosting Wiki

Industry
Partners

industry-partner_ALIBABA
industry-partner_GOOGLEPARTNER
industry-partner_MICROSOFT
industry-partner_REDHAT-r2
industry-partner_ALIBABA
industry-partner_AUTOMATTIC
industry-partner_AWS
industry-partner_DIGITALOCEAN
industry-partner_SCALEWAY

© 2025 WebPros International GmbH. All rights reserved. Plesk and the Plesk logo are trademarks of WebPros International GmbH.

Managed with love with Plesk WP Toolkit