Multi-factor authentication (MFA) is a multi-step login process that helps to protect users' accounts on your Totara site by adding an extra layer of security. Totara's MFA requires users to use an authenticator app in addition to your password to access your account.
By combining an authenticator app with the password system, MFA makes it harder for someone to access as users' account and compromise your Totara site, even if they are able to obtain or guess a users' password. This helps to keep your site, as well as users' personal information, safe.
See the MFA developer documentation for more information.
Enable MFA
To enable MFA on your site, follow these steps:
Go to Quick-access menu > Plugins > Multi-factor authentication > Manage multi-factor authentication.
Click the closed eye icon (
) next to Authenticator app.The eye icon should now appear open (
), indicating that the Authenticator app is enabled.
Set up MFA for your account
Users’ can then configure MFA for their account by following these steps:
Go to their User menu (your name in the top-right corner) > Preferences > Manage multi-factor authentication.
Click Add factor.
User needs to download an authenticator app such as Google or Microsoft Authenticator. Open the app on the mobile device and scan the QR code displayed on the Add an authentication app page in Totara. Alternatively you can manually enter the code into the authentication app which is displayed on the Add an authentication app page.
In Totara, enter the six-digit code provided by the authenticator app.
Click Save.
Log in with MFA enabled
Once the user has set up MFA for their account, they can log in by following these steps:
Go to your Totara site.
Enter Username and Password.
Click Login.
Enter the six-digit code from the authenticator app, then click Verify.
The user should now be logged in to the Totara site.
Multi-factor authentication notifications
You can configure notifications for trigger events related to multi-factor authentication, and add placeholders to those notifications.
By default there are notifications sent to a user when an MFA factor for their account is created or deleted.
Reporting
You can create a user report to view users with MFA enabled. Within the User report source you can add a column and filter Has MFA enabled. This will give the report a column with Yes or No data.
Restoring access to an account with MFA
In the event that you are locked out of your Site Administrator account with MFA enabled (e.g. because you have lost the device with the authenticator app), another Site Administrator can revoke your registered MFA factor on the Manage user login page. To perform this action, the logged-in user needs to have the moodle/user:managelogin capability.
Go to Quick-access menu > Users and browse for the admin user whose MFA you need to revoke.
Click on the user's name to go to their profile.
Click Manage user login.
Under the Action heading, select Reset MFA.
Click Update to revoke the admin user's registered MFA factor.
Following this action, the user will need to complete the MFA registration process again.
A developer can also do this on your behalf using CLI. Please see the developer documentation for more information on how to do this.
.svg?sv=2022-11-02&spr=https&st=2026-02-12T16%3A30%3A26Z&se=2026-02-12T16%3A42%3A26Z&sr=c&sp=r&sig=1%2BmS9FT0AYH0WwPLVwHGHWUNsUP2FI3HvEQKpF8G9kA%3D){kind=icon}
The Totara Academy has a whole course dedicated to Site-level user management in Totara. Here you can learn more about user management, see best practice, and give it a go yourself.
Join the Totara Community for more resources to help you get the most out of Totara.
© Copyright 2026 Totara Learning Solutions. All rights reserved.