Multi-factor authentication (MFA)

  • Published on Jan 26, 2026
  • 4 minute(s) read
Prev Next

Multi-factor authentication (MFA) is a multi-step login process that helps to protect users' accounts on your Totara site by adding an extra layer of security. Totara's MFA requires users to use an authenticator app in addition to their password to log in.

By combining an authenticator app with the password system, MFA makes it harder for someone to access a user’s account and compromise your Totara site, even if they are able to obtain or guess a user’s password. This helps to keep your site, as well as users' personal information, safe.


See the MFA developer documentation for more information.

Enable MFA

To enable MFA on your site, follow these steps:

  1. Go to Quick-access menu > Plugins > Multi-factor authentication > Manage multi-factor authentication (admin/settings.php?section=mfa_settings).

  2. Click the closed eye icon () next to Authenticator app.

  3. The eye icon should now appear open (), indicating that the Authenticator app is enabled.

Multi-factor authentication management page displaying available authentication factors with enable controls.

Security key

The Security key option allows users to sign in using a physical device, such as a USB or Bluetooth key, instead of only entering a password. When this option is enabled, users can register a compatible WebAuth security key with their account. During sign-in, they confirm their identity by touching or activating the registered device.

Security keys provide a simple and secure way to confirm a user’s identity and help protect accounts from unauthorised access.

To enable the Security key option:

  1. Go to Quick-access menu > Plugins > Multi-factor authentication > Manage multi-factor authentication (admin/settings.php?section=mfa_settings).

  2. Click the closed eye icon () next to Security key.

  3. The eye icon should now appear open (), indicating that the Security key is enabled.

MFA rules

Multi-factor authentication rules define which users are required to set up multi-factor authentication and when that requirement applies. This ensures stronger account security and can be applied to specific user groups.

To set up Multi-factor authentication rules:

  1. Go to Quick-access menu > Plugins > Multi-factor authentication > Multi-factor authentication rules. (mfa/rules/)

  2. Click Create.

  3. Add a name for your rule (mandatory field).

  4. Select a date for the MFA is required from setting. This rule will only be enforced on or after this date. Before this date, matched users will still be prompted to set up MFA, but will have the option to temporarily skip setup and log in as normal. If the MFA required from date has passed, the user cannot skip it and will be required to set up their MFA.

  5. From the Applies to option, select which users the rule applies to:

    • All users

    • Any of the following

  6. If you select to apply the rule to Any of the following, you can then select:

    • Audiences: Click Add audience and from the Browse all tab in the pop-up, select one or multiple audiences from the list and click Add

    • Roles: From the dropdown menu, select one or multiple roles who will be required to set up multi-factor authentication

    • Authentication method: From the dropdown menu, select one or multiple authentication methods who will be required to set up multi-factor authentication

  7. Click Submit.

    Screenshot of the Create rule page showing fields to name the rule, set the MFA start date, select user groups or roles, and choose authentication methods, with Submit and Cancel buttons.

From the Multi-factor authentication rules page you can edit or delete any rules. Select the three dots () for a rule, then select either Edit or Delete.

Set up MFA for your account

You can configure MFA for your account by following these steps, either:

  1. When a you first log in after MFA is enabled, you will be prompted to set up multi-factor authentication.

    • When prompted at login, click on Authenticator app.

      Screenshot of the Set up multi-factor authentication page prompting users to add an additional factor, with an option to use an Authenticator app and links to log out or skip setup.

  • Or, when you are logged in:

    • Go to the User menu (your name in the top-right corner) > Preferences > Manage multi-factor authentication.

    • Click Add factor.

      Screenshot of the Preferences page showing user account options including Edit profile, Change password, and Manage multi-factor authentication.

You can then follow these steps to set up your MFA:

  1. You need to download an authenticator app such as Google or Microsoft Authenticator. Open the app on your mobile device and scan the QR code displayed on the Add an authentication app page in Totara. Alternatively you can manually enter the code into the authentication app which is displayed on the Add an authentication app page.

    Screenshot of the Add an authenticator app page showing a QR code, a blurred setup key, and a field to enter a 6-digit code generated by an authenticator app.

  2. In Totara, enter the six-digit code provided by the authenticator app.

  3. Click Save.

Log in with MFA enabled

Once you have set up MFA for your Totara account, you can log in by following these steps:

  1. Go to your Totara site.

  2. Enter your Username and Password, then click Login.

  3. If an authenticator app is configured, a verification screen appears prompting for a six-digit code.

  4. If a security key is configured, the user is prompted to insert or activate the registered device and confirm the sign-in request.

  5. Once the required verification is successfully completed, the user is logged in and the Totara dashboard loads as normal.

Multi-factor authentication notifications

You can configure notifications for trigger events related to multi-factor authentication, and add placeholders to those notifications.

By default there are notifications sent to a user when an MFA factor for their account is created or deleted.

Reporting

You can create a user report to view users with MFA enabled. Within the User report source you can add a Has MFA enabled column and filter. This will give the report a column with Yes or No data.

Screenshot of the user search page showing filters for User’s Fullname and MFA status, with a results table listing users, usernames, last login, and MFA enabled status.

Restoring access to an account with MFA

In the event that you are locked out of your Site Administrator account with MFA enabled (e.g. because you have lost the device with the authenticator app), another Site Administrator can revoke your registered MFA factor on the Manage user login page. To perform this action, the logged-in user needs to have the moodle/user:managelogin capability.

  1. Go to Quick-access menu > Users and browse for the admin user whose MFA you need to revoke.

  2. Click on the user's name to go to their profile.

  3. Click Manage user login.

  4. Under the Action heading, select Reset MFA.

  5. Click Update to revoke the admin user's registered MFA factor.

Following this action, the user will need to complete the MFA registration process again.

A developer can also do this on your behalf using CLI. Please see the developer documentation for more information on how to do this.

Course badgeThe Totara Academy has a whole course dedicated to Site-level user management in Totara. Here you can learn more about user management, see best practice, and give it a go yourself.

Join the Totara Community for more resources to help you get the most out of Totara. 


© Copyright 2026 Totara Learning Solutions. All rights reserved.