Introduction

The enterprise admin dashboard contains sensitive user data. Two-step verification adds an extra layer of security for Dify EE system administrator accounts. Once enabled, even if the password is compromised, unauthorized access can be prevented, ensuring the safety of both system administrator accounts and enterprise data.

This mechanism requires users to enter a time-based verification code from an authenticator app after entering the correct password—enhancing account protection through two-factor authentication.

Implementation Prerequisites

Before configuring two-step verification, please ensure you meet the following requirements:

  1. System administrator permission - Only system administrators can configure two-step verification.
  2. Authenticator app - A compatible authenticator app installed on your mobile device.

Authenticator apps (such as Google Authenticator) are based on the TOTP (Time-based One-Time Password) standard, generating a new verification code every 30 seconds.

Enabling Two-Step Verification

Before enabling global two-step verification for your team, you must first configure two-step verification for your personal account.

Personal Account

Steps to configure personal two-step verification:

1

Access Admin Dashboard

Log in to the Dify EE admin dashboard.

2

Open 2-Step Verification Settings

Click “2-Step Verification” in the sidebar.

3

Configure Authenticator

Click “Configure” under the Authenticator section.

4

Scan QR Code

Scan the QR code using your authenticator app.

5

Enter Verification Code

Enter the six-digit code displayed in the app to complete setup.

If you cannot scan the QR code, hover over the Setup Key to view the key text. Enter this key into your authenticator app to generate a six-digit verification code, then enter this code in the verification field.

After enabling two-step verification, backup codes will be generated. To avoid being unable to access your account if you lose your device with the authenticator app, it’s recommend copying or printing these backup codes and storing them in a secure location.

Backup codes are one-time use only; once used, it become invalid. If you need more backup codes, click “Regenerate.”

Enterprise Global Setting

All system administrators have the authority to enable global two-step verification for the enterprise; however, global verification can only be enabled after personal two-step verification has been configured.

Go to SettingsAuthentication to enable global two-step verification for the enterprise. Once enabled, every system administrator will be required to provide an additional verification code when logging into the enterprise admin dashboard. If there are system administrators who haven’t set up two-step verification yet, please refer to the FAQ.

Modifying Two-Step Verification

On the enterprise admin dashboard, and click “2-Step Verification” → “Edit” in the menu options to the right of the authenticator. In the verification page that appears, enter the new six-digit verification code displayed by your authenticator to confirm your identity and complete the modification.

Disabling Two-Step Verification

When you disable two-step verification, your account will lose a critical security barrier. The account will then rely solely on your password for protection, which increases vulnerability to unauthorized access.

Personal Account

If the enterprise has enabled global mandatory two-step verification, you cannot disable two-step verification for your personal account.

On the enterprise admin dashboard, and click “2-Step Verification” → “Disable Two-Step Verification.”

Enterprise Global Setting

On the enterprise admin dashboard, and click “Settings” → “Authentication”, turn off the two-step verification toggle.

System administrators will receive corresponding notifications in their email when two-step verification is enabled, modified, or disabled.

Frequently Asked Questions

What should I do if I lose my device with the authenticator app?

If you’ve forgotten or lost your original device, use the following methods to log in:

  1. Use backup codes: Select the “Use backup code” option on the login page and enter one of your previously saved backup codes. Note that each backup code can only be used once.
  2. Contact other system administrators: If you don’t have backup codes, contact other system administrators in your team to request temporary access or assistance in resetting your two-step verification settings.

What if the system shows an error when I enter the correct verification code?

Verification code errors usually occur for the following reasons:

  1. Time synchronization issues: Authenticator apps generate codes based on time. Ensure your device’s time is synchronized with standard time. Most smartphones automatically synchronize time, but if you’ve turned off auto-sync, enable it in your device settings.
  2. Expired code: Authenticator verification codes typically update every 30 seconds. If you enter a code as it’s about to expire, it may fail. Wait for a new code to be generated and try again.
  3. Device and account mismatch: Confirm you’re using the correct authenticator app and account to generate verification codes.

How do I migrate my authenticator after changing phones?

There are two methods to migrate your authenticator:

  1. Use in-app migration feature: Some authenticator apps (like recent versions of Google Authenticator) provide account export/import functionality, allowing you to transfer authenticator information to a new device.
  2. Reconfigure two-step verification:
    • Log in using a backup code.
    • Reference Modifying Two-Step Verification, go to your personal two-step verification settings page, and click “Edit.”
    • Complete verification using the code generated by your new device.

How do system administrators who haven’t enabled personal account two-step verification log in after global enforcement?

When global two-step verification is enforced, the login process for system administrators who haven’t enabled two-step verification is as follows:

  1. The system administrator logs in using their email and password (or SSO).
  2. The system automatically detects that the system administrator hasn’t configured two-step verification and provides setup instructions on the enterprise login page.
  3. The system administrator needs to download an authenticator app and complete the two-step verification setup according to the on-screen instructions.
  4. After setup is complete, entering the six-digit verification code will allow the system administrator to continue logging into the enterprise admin dashboard.

Is two-step verification still necessary if the enterprise uses SSO login?

Yes, even if your enterprise uses an SSO (Single Sign-On) system, it’s still recommend enabling two-step verification. This provides dual protection:

  1. SSO ensures unified authentication of user identity across enterprise applications.
  2. Two-step verification provides an additional security layer for the enterprise admin dashboard, preventing unauthorized access in case SSO credentials are compromised.

This multi-layered security strategy (also known as “defense in depth”) is a best practice for enterprise information security.