Enabling and disabling two-factor authentication

IMPORTANT

This guide only applies to customers with Fastly accounts or with Signal Sciences accounts linked to Fastly accounts. If you have a Signal Sciences account that isn't linked to a Fastly account, check out our guide to enabling and disabling two-factor authentication for Signal Sciences.

Fastly supports two-factor authentication, a two-step verification system, for logging in to the web interface and other linked Fastly assets (e.g., the Fastly support portal). In a two-factor authentication security process, users provide two means of identifying themselves to the system, typically by providing the system with something they know (for example, their login ID and password combination) and something they have (such as an authentication code). Organizations can enable company-wide two-factor authentication to require all users within the organization to use two-factor authentication.

Before you begin

You'll need to enter an authentication code regularly. Once two-factor authentication has been enabled for your Fastly account, an authentication code will be requested upon login at least every 14 days for each computer and browser you use to access the Fastly web interface or a linked Fastly asset.

A mobile device is required. Using this security feature with a Fastly account requires a mobile device capable of scanning a barcode or QR code using a downloadable authenticator application. We recommend the following:

There are special requirements for using this feature with API tokens. Check out the API token documentation for more information.

Managing two-factor authentication as a user

Depending on whether or not your organization has enabled company-wide two-factor authentication, you may be able to enable and disable two-factor authentication for your personal account. We also have instructions for recovering access to your account if you lose your mobile device.

Enabling two-factor authentication

Follow these steps to enable two-factor authentication for your account.

  1. Log in to the Fastly web interface.
  2. Go to Account > Personal profile > Two-factor authentication.

    the account security 2fa setup page

  3. Click Set up two-factor authentication.

  4. Re-enter your login credentials and then click Continue. The setup page with the authentication QR code appears.

    the 2fa QR code

    IMPORTANT

    The QR code above is an example. Scan the one that appears in the Fastly application, not in this guide.

  5. Launch the authenticator application installed on your mobile device and scan the displayed QR code or manually enter the key displayed in the setup window. A time-based authentication code appears on your mobile device. Depending on your device, however, a browser link may first appear. You need to click this link to save it. When you do, the words Secret saved appear briefly.

  6. In the One-time code field in the Fastly application, enter the time-based authentication code displayed by your mobile device.

    IMPORTANT

    A common time syncing issue may cause your authenticator codes to fail. You can correct this using Google's instructions for your authenticator application.

  7. In the Device Name field in the Fastly application, enter a name to help you identify your device.

  8. Click Continue. The confirmation screen appears along with your recovery codes.

    the 2fa recovery codes

    IMPORTANT

    Recovery codes are only displayed once. Be sure to store a copy of them in a safe place in the same order they appear on the confirmation screen. If you're ever unable to access your mobile device, the recovery codes can be used to log in when your account has two-factor authentication enabled. Each of these recovery codes can only be used once, but you can regenerate a new set of 12 at any time and any previously generated codes that are still unused will be invalidated.

Once you enable two-factor authentication for your account, any other open sessions will require reauthentication. For example, if you enable two-factor authentication in one browser window and you're viewing various aspects of a service configuration through multiple additional browser windows, you will be required to reauthenticate in those additional windows, this time using an authentication code generated by the authenticator application installed on your mobile device (in addition to your email and password).

Future logins will also require an authenticator code. By default, the system requires you to authenticate your login using an authentication code at least every two weeks for each computer and browser you use to access the Fastly web interface or linked Fastly asset.

Disabling two-factor authentication

Once two-factor authentication is enabled for your account, you can disable it at any time by following the steps below.

IMPORTANT

If your organization has enabled company-wide two-factor authentication, you cannot disable two-factor authentication for your account.

  1. Log in to the Fastly web interface.
  2. Go to Account > Personal profile > Two-factor authentication.

    the account security 2fa page with 2fa enabled

  3. Click Disable two-factor authentication.

  4. In the Authentication Code field, enter the time-based authentication code displayed in the authenticator application on your mobile device, then click Confirm and Disable.

NOTE

If you have lost your mobile device, you can enter a recovery code in the Authentication Code field. For more information, check out the section on what to do if you lose your mobile device.

What to do if you lose your mobile device

If you lose your mobile device after enabling two-factor authentication, use a recovery code to log in to your Fastly account.

WARNING

You must use the recovery codes for your account in the order they were supplied to you. If you don't, you'll be asked to enter a valid code.

You can continue to use recovery codes to log in until you get your mobile device back. Recovery codes can only be used once, however, so remember to regenerate a new list of codes to avoid running out before you recover your mobile device.

If you do not believe you will be able to recover your lost mobile device and you still have at least two recovery codes left, you can log in with one recovery code and disable two-factor authentication with a second code. Once two-factor authentication is disabled, you can re-enable it with a new mobile device at a later time and regenerate a new set of codes.

If your organization has enabled company-wide two-factor authentication, you can contact a superuser for your organization and ask them to reset your two-factor authentication.

Locked out of your account? See our article on what you can do about it.

Managing two-factor authentication as a superuser

Organizations can enable two-factor authentication users one at a time or all at once for all of their users. When the company-wide two-factor authentication feature is enabled, all users within the organization are required to use two-factor authentication to log in to the Fastly web interface, and they cannot disable two-factor authentication for their accounts.

Enabling two-factor authentication for a single user

If you are assigned the superuser role for your organization, you can view who has two-factor authentication enabled the User management settings for your Account. Users with this feature enabled have 2FA displayed next to their names.

2FA next to a user name indicates they have 2fa activated

To disable two-factor authentication for any user within your organization, select Disable 2FA from the menu that appears when you click the gear Gear icon next to that user's name.

Resetting a user's two-factor authentication

If company-wide two-factor authentication is enabled, and a user within the organization gets locked out of their account or needs to enable a new device, an account superuser can reset their two-factor authentication. To reset a user's two-factor authentication, follow the steps below.

  1. Log in to the Fastly web interface.
  2. Go to Account > User management.
  3. In the Users area, click the gear Gear icon next to a user and then select Reset 2FA. A warning message appears.
  4. Click Reset. The user will need to set up two-factor authentication for their account the next time they log in.

Disabling two-factor authentication for a single user's account

If company-wide two-factor authentication is enabled, a superuser can disable two-factor authentication for a single user's account. This is typically done for user accounts being used for scripts and session authentication. To disable two-factor authentication for a single user's account, follow the steps below.

  1. Log in to the Fastly web interface.
  2. Go to Account > User management.
  3. In the Users area, click the gear Gear icon next to a user and then select Ignore 2FA. A warning message appears.
  4. Click Ignore. Two-factor authentication will no longer be required for the selected user.

Enabling company-wide two-factor authentication

Users assigned the superuser role can enable this feature on the Account page. To enable company-wide two-factor authentication for all users within your organization, follow the steps below.

  1. Log in to the Fastly web interface and select Account from the navigation sidebar.
  2. In the Customer options area, select Enabled from the Company-wide two-factor authentication controls.

    company-wide 2fa settings set to yes

  3. Click Update Customer Options. A warning message appears stating that login sessions from non-2FA users in your company will immediately expire.

  4. Click Continue. Two-factor authentication becomes required for all users in your company. Anyone currently logged in and not previously using 2FA on their account will be logged out of the Fastly web interface. Anyone who has not already enabled two-factor authentication for their account will be prompted to do so the next time they log in to the Fastly web interface.

Disabling company-wide two-factor authentication

A superuser can disable company-wide two-factor authentication. Once this feature is disabled, existing users within the organization will be able to manage their own two-factor authentication settings, and new users will not be required to set up two-factor authentication to log in to the Fastly web interface. To disable company-wide two-factor authentication, follow the steps below:

  1. Log in to the Fastly web interface and select Account from the navigation sidebar.
  2. In the Customer options area, select Disabled from the Company-wide two-factor authentication controls.

    company-wide 2fa settings set to no

  3. Click Update Customer Options. A warning message appears.

  4. Click Continue. Company-wide two-factor authentication becomes disabled.

Was this guide helpful?

Do not use this form to send sensitive information. If you need assistance, contact support. This form is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.