Two-factor authentication (2FA)

ScoutDNS supports email-based token 2FA for all operators who access the Admin Console. When enabled, every login requires a six-digit token delivered to the operator’s email. The setting is org-wide and applies to every operator with account access.

[!IMPORTANT] 2FA is strongly recommended for every production account. It’s the only protection your Super Admin break-glass account has if SSO is enabled and Entra ID is the rest of the auth surface. See SSO with Entra ID for the broader auth model.

Enable 2FA

The toggle lives on the Access Management screen and is only visible to Super Admins.

1. Click the profile icon (top right) and open Access Management.
2. Look for the 2FA toggle in the upper-right of the page.
3. Switch it on.

From the next login onward, every operator with account access has to enter a six-digit token sent to the email address on their user ID.

Trust this device

Operators can choose Trust Device when entering a token. The token is then bypassed on that browser for 30 days, after which the next login requires a fresh token.

[!TIP] “Trust Device” is per browser, not per machine. Logging in from an incognito window or a different browser will trigger a fresh token prompt.

Cross-account behavior

If an operator has access to multiple ScoutDNS accounts (typical for MSPs), the 2FA token from one account is valid for all the accounts that have 2FA enabled, as long as the operator’s session stays active. They won’t be prompted again when switching between accounts.

Related

• SSO with Microsoft Entra ID
• Add system users (role-based access)
• API access