Enable two-factor authentication
Learn how to configure two-factor authentication for your Retool organization.
Two-factor authentication (2FA) provides an additional level of security for your Retool organization. When enabled, users must enter a one-time passcode (OTP) generated by an authenticator app or use a security key (FIDO2) each time they log in.
Enable 2FA
Retool organizations on any plan can enforce 2FA for their users. Admins can access this setting from Settings > Advanced under Authentication Options. For Self-hosted Retool deployments, this applies to all domains in your organization.
You can choose the type of 2FA required for users in your organization:
-
If you enable OTP 2FA, the first time users log in they're presented with a QR code they must scan using an authenticator app (e.g., 1Password, Authy, Google Authenticator). They then have to confirm the generated one-time passcode (OTP) to complete setup. Subsequent logins only require the passcode.
-
If you enable FIDO2 2FA, the first time users log in they need to configure authentication with a hardware key (e.g., Yubikey) or any other security key that implements the FIDO2 standard (e.g., a passkey, browser profile, or phone). Subsequent logins require the configured security key.
FIDO 2FA is not supported in Retool mobile apps. Use OTP 2FA instead.
Users of Retool Cloud and Self-hosted organizations on the Enterprise plan can enable 2FA for their account even if it's not required for the organization. Users can enable and reset 2FA on their accounts from Settings > Account.
Reset 2FA for individual users
If you're the only admin of your organization and need to reset your own 2FA to access your account, contact Retool Security.
Retool administrators can reset 2FA for individual users in the Users settings. Navigate to Settings > Users, then click the ...
menu for the user. Once reset, the user must setup 2FA again the next time they log in.
Users of Retool organizations on the Enterprise plan can also reset their own 2FA from Settings > Account.