Core Docs - Core Concepts - Two-Factor Authentication

Rock Version: v19.0
Last Modified: 2026-01-13 11:46 AM

Two-Factor Authentication (2FA) is your extra layer of login security. With 2FA, logging into Rock involves more than just a username and password; you'll also need to verify your identity via email or text. However, this doesn’t apply to everyone. You get to control who is required to use 2FA based on their Account Protection Profile.

If you're using Passwordless Login on your site, people needing 2FA will still need to enter their username and password after completing the Passwordless process.

External Authentication
Built-in external authentication providers like Google or Facebook do not support Two-Factor Authentication. So, they can’t be used if 2FA is turned on. There is a customizable message in the Login block that the person will see in this case.

In the below example, the person initially logged in with a traditional username and password. Now they must provide their email or phone number to proceed.

If the person uses their phone number, they will be sent a verification code via SMS text message.

Then, back in Rock, the person will need to enter the verification code from their phone to finish logging in.

If they provide an email address instead of a phone number, there’s a button in the email they receive that they need to click to finish the sign-in process. This will log them in promptly and does not require that they manually enter the code.

If the email address or phone number they provide doesn’t match what they have in Rock, or if they don’t have a phone number or email at all, they’ll be instructed to contact you for assistance, as pictured below.

Two-Factor Authentication Setup

We’ll start with the communication configuration. Two-Factor Authorization utilizes some of the same functionality as the Passwordless Login process. This includes sending the person an email or SMS message. So, if you've set up Passwordless Login already, you can skip updating your communication configuration. If not, then go to Admin Tools > Settings > System Communications and add a "From" number to the SMS section of the Passwordless Login Confirmation system communication.

Two-Factor Authorization is turned off by default, partially because it won’t work without the above configuration. So, your last step is to enable 2FA. You’ll need to update your Security Settings under Admin Tools > Settings > Security Settings. There you’ll choose which Protection Profile(s) should be required to use 2FA.

Check Login Block Settings
If the Login block’s settings have Show Internal Database Login set to "No", and Redirect to Single External Auth Provider set to "Yes", then you should NOT enable 2FA. If you do, you may lock yourself or others out of Rock.  

At a minimum, you may want to require Two-Factor Authentication for people with Extreme Protection Profiles. This helps prevent fraudulent attempts to log in using accounts with higher levels of access to Rock.

When to Turn On
In the rare event that you turn on 2FA while people are actively logged in to Rock, and if those people require 2FA, they will be automatically logged out and must sign in again using 2FA. For this reason, you may want to turn this on during periods of low activity.

The Login block itself has a few settings directly related to Two-Factor Authentication. These are messages that the person will see if things don’t go exactly as planned. The messages include the following topics/scenarios:

Passwordless with Passwords
Note that Passwordless Login will require the person to establish a username and password as part of that process if 2FA is turned on.

Things to Remember: