Enable two-factor authentication
Learn how to configure two-factor authentication for your Retool organization.
Two-factor authentication (2FA) provides an additional level of security. Admins can enable two-factor authentication so that users must either enter a one-time passcode (OTP) generated by an authenticator app or use a security key (FIDO2) each time they log in.
Users in organizations on the Enterprise plan can enable two-factor authentication for their account even if it's not required for the organization Settings > Account.
Enforce two-factor authentication
Admins can manage two-factor authentication enforcement by navigating to Settings > Advanced. Set the Require Two Factor Authentication option to either the OTP or FIDO2 method. The next time a user logs in, they will have to configure two-factor authentication before they can continue.
To disable organization-wide two-factor authentication, change this option to None.
Set up OTP authentication
OTP requires a compatible authenticator app, such as 1Password, Authy, and Google Authenticator. To set up:
- Scan the QR code with the authenticator app.
- Enter the generated one-time passcode to confirm and complete set up.
Whenever a user attempts to sign in, they must also enter a generated one-time passcode.
Set up FIDO2 authentication
FIDO 2FA is not supported in Retool mobile apps. Use OTP 2FA instead.
FIDO2 requires a FIDO2-complaint security key. This can be either a hardware key (e.g., Yubikey) or a supported security key method (e.g., passkey). Support for available options depend on the user's device and browser.
FIDO2 setup is handled by the user's browser. Follow the instructions to set up a hardware key or passkey.
Reset two-factor authentication for individual users
If you're the only admin of your organization and lose access to your two-factor authentication method, contact our contact our security team.
Retool administrators can reset 2FA for individual users in the Users settings. Navigate to Settings > Users, then click the ...
menu for the user. Once reset, the user must setup 2FA again the next time they log in.
Users of Retool organizations on the Enterprise plan can also reset their own 2FA from Settings > Account.