Enabling and disabling two-factor authentication


This guide only applies to customers with Signal Sciences accounts that aren't linked to Fastly accounts. If you have linked a Signal Sciences account to a Fastly account or just have a Fastly account, check out our guide to enabling and disabling two-factor authentication instead.

We support two-factor authentication (2FA) via apps that support both HMAC-based One-time Password (HOTP) (RFC-4226) and Time-based One-time Password (TOTP) (RFC-6238). This includes Duo Security and Google Authenticator for both iPhone and Android.


We don’t support 2FA enforcement on Signal Sciences accounts.

Enabling two-factor authentication

Two-factor authentication settings are set at the user-level for a particular corp. This means that a user only needs to configure two-factor authentication once to access all the sites to which they belong.

  1. Log in to the Fastly web interface and select Account from the navigation sidebar.
  2. Click Two-factor authentication.

    the account security 2fa setup page

  3. Click Set up two-factor authentication.

  4. Verify your Fastly password and then click Continue. The authentication QR code appears.

    the 2fa QR code


    The QR code above is an example. Scan the one that appears in the Fastly application, not in this guide.

  5. Launch the authenticator application installed on your mobile device and scan the displayed QR code or manually enter the key displayed in the setup window. A time-based authentication code appears on your mobile device. Depending on your device, however, a browser link may first appear. You need to click this link to save it. When you do, the words Secret saved appear briefly.

  6. In the Authentication Code field in the Fastly application, enter the time-based authentication code displayed on your mobile device.


    A common time syncing issue may cause your authenticator codes to fail. You can correct this using Google's instructions for your authenticator application.

  7. Click Continue. The confirmation screen appears along with your recovery codes.

    the 2fa recovery codes


    Recovery codes are only displayed once. Be sure to store a copy of them in a safe place in the same order they appear on the confirmation screen. If you're ever unable to access your mobile device, the recovery codes can be used to log in when your account has two-factor authentication enabled. Each of these recovery codes can only be used once, but you can regenerate a new set of 12 at any time and any previously generated codes that are still unused will be invalidated.

Disabling two-factor authentication

  1. Log in to the Next-Gen WAF control panel.
  2. From the My Profile menu, select Account Settings.
  3. Click Disable two-factor authentication to disable two-factor authentication.
Was this guide helpful?

Do not use this form to send sensitive information. If you need assistance, contact support. This form is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.