Two Factor Authentication (2FA)

2FA is available from VoIPmonitor GUI version 20.

Prerequisites

Ensure server time is synchronized (install NTP service) as 2FA codes are time-sensitive.

GUI Settings

• Admin users can enable 2FA requirement for any user in GUI > Users & Audit. Enabling requires setup.
• Admins can delete a user's 2FA secret in GUI > Users & Audit.
• Users can set/change 2FA (with password) in GUI > User Settings > Change User Auth. Follow the setup dialog.
• Always enable 2FA dialog (in Settings > System Configuration > Advanced): (New in 2026.1) Forces the 2FA input field to appear on the login screen for all users, regardless of their 2FA status. Useful for environments with external authentication systems that always require a 2FA code.

2FA Code Generator Setup

Use apps like:

• Google Authenticator for Android: https://play.google.com/store/apps/details?id=com.google.android.apps.authenticator2
• Google Authenticator for iOS: https://itunes.apple.com/cz/app/google-authenticator/id388497605?mt=8
• Google Authenticator Chrome extension: https://chrome.google.com/webstore/detail/google-authenticator/njkhnbmlaefgkjpaghgphiceaocdblgl
• Authenticator Firefox addon: https://addons.mozilla.org/en-US/firefox/addon/auth-helper/?src=search

Scan QR code to import account and generate codes.

Troubleshooting

Time Synchronization Issues (TOTP-based 2FA)

If you use TOTP-based apps (Google Authenticator, Authy, etc.) and receive "invalid code" errors, the server time may be out of sync. 2FA codes are time-sensitive.

• Ensure NTP service is installed and running:

# Debian/Ubuntu
sudo apt-get install ntp
sudo systemctl restart ntp

# CentOS/RHEL
sudo yum install ntp
sudo systemctl restart ntp

• Force immediate time sync:

sudo ntpdate pool.ntp.org

FortiToken Activation Issues

FortiToken uses a different mechanism than TOTP apps. If you receive an "invalid code" error during FortiToken activation:

• Do NOT attempt to fix via time synchronization - this will not solve FortiToken activation issues.
• Contact your VPN administrator to request a new activation code.
• Ensure the new code is used within its validity period (typically 24 hours).
• In the FortiTokenMobile app:
  • Use the SCAN BAR CODE option with the new QR code, OR
  • Manually enter the new activation string.

Disabling 2FA via Database

If you are locked out and cannot access the GUI, disable 2FA via database:

UPDATE users SET secret = NULL, req_2fa = 0 WHERE username = 'USER';

See Also

• User_Management - User management and permissions
• Google_Sign_in_usage - Google OAuth 2.0 integration
• Microsoft_Sign_in_usage - Microsoft Entra ID / Azure AD integration

AI Summary for RAG

Summary: Two-Factor Authentication (2FA) is available from VoIPmonitor GUI version 20. Prerequisites include NTP time synchronization as TOTP codes are time-sensitive. Admin users enable/disable 2FA requirement per user via GUI > Users & Audit. Users configure their 2FA via GUI > User Settings > Change User Auth by scanning a QR code with an authenticator app (Google Authenticator, Authy, etc.). Troubleshooting covers time sync issues (install NTP, run ntpdate) and FortiToken activation problems (requires new activation code from VPN admin). If locked out, 2FA can be disabled via database by setting secret=NULL and req_2fa=0 for the user.

Keywords: 2FA, two-factor authentication, TOTP, Google Authenticator, Authy, FortiToken, QR code, NTP, time synchronization, GUI version 20, locked out, disable 2FA, database

Key Questions:

• What version of VoIPmonitor GUI supports 2FA?
• Why is time synchronization required for 2FA?
• How do admins enable or disable 2FA for users?
• How do users set up 2FA in VoIPmonitor?
• What apps can generate 2FA codes for VoIPmonitor?
• How to disable 2FA via database if locked out?
• Why doesn't time sync fix FortiToken activation issues?