open-vault/website/source/docs/enterprise/mfa/mfa-totp.html.md

---
layout: "docs"
page_title: "TOTP MFA - MFA Support - Vault Enterprise"
sidebar_title: "TOTP MFA"
sidebar_current: "docs-vault-enterprise-mfa-totp"
description: |-
  Vault Enterprise supports TOTP MFA type.
---

# TOTP MFA

This page demonstrates the TOTP MFA on ACL'd paths of Vault.

## Configuration

1. Enable the appropriate auth method:

    ```text
    $ vault auth enable userpass
    ```

1. Fetch the mount accessor for the enabled auth method:

    ```text
    $ vault auth list -detailed
    ```

    The response will look like:

    ```text
    Path         Type        Accessor                  Plugin    Default TTL    Max TTL    Replication    Description
    ----         ----        --------                  ------    -----------    -------    -----------    -----------
    token/       token       auth_token_289703e9       n/a       system         system     replicated     token based credentials
    userpass/    userpass    auth_userpass_54b8e339    n/a       system         system     replicated     n/a
    ```

1. Configure TOTP MFA:

    ```text
    $ vault write sys/mfa/method/totp/my_totp \
        issuer=Vault \
        period=30 \
        key_size=30 \
        algorithm=SHA256 \
        digits=6
    ```

1. Create a policy that gives access to secret through the MFA method created
   above:

    ```text
    $ vault policy write totp-policy -<<EOF
    path "secret/foo" {
      capabilities = ["read"]
      mfa_methods  = ["my_totp"]
    }
    EOF
    ```

1. Create a user. MFA works only for tokens that have identity information on
them. Tokens created by logging in using auth methods will have the associated
identity information. Create a user in the `userpass` auth method and
authenticate against it:


    ```text
    $ vault write auth/userpass/users/testuser \
        password=testpassword \
        policies=totp-policy
    ```

1. Create a login token:

    ```text
    $ vault write auth/userpass/login/testuser \
        password=testpassword

    Key                    Value
    ---                    -----
    token                  70f97438-e174-c03c-40fe-6bcdc1028d6c
    token_accessor         a91d97f4-1c7d-6af3-e4bf-971f74f9fab9
    token_duration         768h
    token_renewable        true
    token_policies         [default totp-policy]
    token_meta_username    "testuser"
    ```

    Note that the CLI is not authenticated with the newly created token yet, we
    did not call `vault login`, instead we used the login API to simply return a
    token.

1. Fetch the entity ID from the token. The caller identity is represented by the
`entity_id` property of the token:

    ```text
    $ vault token lookup 70f97438-e174-c03c-40fe-6bcdc1028d6c

    Key                 Value
    ---                 -----
    accessor            a91d97f4-1c7d-6af3-e4bf-971f74f9fab9
    creation_time       1502245243
    creation_ttl        2764800
    display_name        userpass-testuser
    entity_id           307d6c16-6f5c-4ae7-46a9-2d153ffcbc63
    expire_time         2017-09-09T22:20:43.448543132-04:00
    explicit_max_ttl    0
    id                  70f97438-e174-c03c-40fe-6bcdc1028d6c
    issue_time          2017-08-08T22:20:43.448543003-04:00
    meta                map[username:testuser]
    num_uses            0
    orphan              true
    path                auth/userpass/login/testuser
    policies            [default totp-policy]
    renewable           true
    ttl                 2764623
    ```

1. Generate TOTP method attached to the entity. This should be distributed to
the intended user to be able to generate TOTP passcode:

    ```text
    $ vault write sys/mfa/method/totp/my_totp/admin-generate \
        entity_id=307d6c16-6f5c-4ae7-46a9-2d153ffcbc63

    Key        Value
    ---        -----
    barcode    iVBORw0KGgoAAAANSUhEUgAAAM...
    url        otpauth://totp/Vault:307d6c16-6f5c-4ae7-46a9-2d153ffcbc63?algo...
    ```

    Either the base64 encoded png barcode or the url should be given to the end
    user. This barcode/url can be loaded into Google Authenticator or a similar
    TOTP tool to generate codes.

1. Login as the user:

    ```text
    $ vault login 70f97438-e174-c03c-40fe-6bcdc1028d6c
    ```

1. Read the secret, specifying the mfa flag:

    ```text
    $ vault read -mfa my_totp:146378 secret/foo

    Key                 Value
    ---                 -----
    refresh_interval    768h
    data                which can only be read after MFA validation
    ```
docs: MFA usage details (#3133) 2017-08-09 03:48:31 +00:00			`---`
			`layout: "docs"`
Standardize on "auth method" This removes all references I could find to: - credential provider - authentication backend - authentication provider - auth provider - auth backend in favor of the unified: - auth method 2017-09-13 01:48:52 +00:00			`page_title: "TOTP MFA - MFA Support - Vault Enterprise"`
New Docs Website (#5535) * conversion stage 1 * correct image paths * add sidebar title to frontmatter * docs/concepts and docs/internals * configuration docs and multi-level nav corrections * commands docs, index file corrections, small item nav correction * secrets converted * auth * add enterprise and agent docs * add extra dividers * secret section, wip * correct sidebar nav title in front matter for apu section, start working on api items * auth and backend, a couple directory structure fixes * remove old docs * intro side nav converted * reset sidebar styles, add hashi-global-styles * basic styling for nav sidebar * folder collapse functionality * patch up border length on last list item * wip restructure for content component * taking middleman hacking to the extreme, but its working * small css fix * add new mega nav * fix a small mistake from the rebase * fix a content resolution issue with middleman * title a couple missing docs pages * update deps, remove temporary markup * community page * footer to layout, community page css adjustments * wip downloads page * deps updated, downloads page ready * fix community page * homepage progress * add components, adjust spacing * docs and api landing pages * a bunch of fixes, add docs and api landing pages * update deps, add deploy scripts * add readme note * update deploy command * overview page, index title * Update doc fields Note this still requires the link fields to be populated -- this is solely related to copy on the description fields * Update api_basic_categories.yml Updated API category descriptions. Like the document descriptions you'll still need to update the link headers to the proper target pages. * Add bottom hero, adjust CSS, responsive friendly * Add mega nav title * homepage adjustments, asset boosts * small fixes * docs page styling fixes * meganav title * some category link corrections * Update API categories page updated to reflect the second level headings for api categories * Update docs_detailed_categories.yml Updated to represent the existing docs structure * Update docs_detailed_categories.yml * docs page data fix, extra operator page remove * api data fix * fix makefile * update deps, add product subnav to docs and api landing pages * Rearrange non-hands-on guides to _docs_ Since there is no place for these on learn.hashicorp, we'll put them under _docs_. * WIP Redirects for guides to docs * content and component updates * font weight hotfix, redirects * fix guides and intro sidenavs * fix some redirects * small style tweaks * Redirects to learn and internally to docs * Remove redirect to `/vault` * Remove `.html` from destination on redirects * fix incorrect index redirect * final touchups * address feedback from michell for makefile and product downloads 2018-10-19 15:40:11 +00:00			`sidebar_title: "TOTP MFA"`
docs: MFA usage details (#3133) 2017-08-09 03:48:31 +00:00			`sidebar_current: "docs-vault-enterprise-mfa-totp"`
			`description: \|-`
			`Vault Enterprise supports TOTP MFA type.`
			`---`

Add PingID MFA docs (#3182) 2017-08-16 02:01:34 +00:00			`# TOTP MFA`
docs: MFA usage details (#3133) 2017-08-09 03:48:31 +00:00
			`This page demonstrates the TOTP MFA on ACL'd paths of Vault.`

Standardize on "auth method" This removes all references I could find to: - credential provider - authentication backend - authentication provider - auth provider - auth backend in favor of the unified: - auth method 2017-09-13 01:48:52 +00:00			`## Configuration`

			`1. Enable the appropriate auth method:`

			```text
			`$ vault auth enable userpass`
			```

			`1. Fetch the mount accessor for the enabled auth method:`

			```text
			`$ vault auth list -detailed`
			```

			`The response will look like:`

			```text
			`Path Type Accessor Plugin Default TTL Max TTL Replication Description`
			`---- ---- -------- ------ ----------- ------- ----------- -----------`
			`token/ token auth_token_289703e9 n/a system system replicated token based credentials`
			`userpass/ userpass auth_userpass_54b8e339 n/a system system replicated n/a`
			```

			`1. Configure TOTP MFA:`

			```text
			`$ vault write sys/mfa/method/totp/my_totp \`
			`issuer=Vault \`
			`period=30 \`
			`key_size=30 \`
			`algorithm=SHA256 \`
			`digits=6`
			```

			`1. Create a policy that gives access to secret through the MFA method created`
			`above:`

			```text
Cleanup of deprecated commands in tests, docs (#3788) 2018-01-15 20:19:28 +00:00			`$ vault policy write totp-policy -<<EOF`
Standardize on "auth method" This removes all references I could find to: - credential provider - authentication backend - authentication provider - auth provider - auth backend in favor of the unified: - auth method 2017-09-13 01:48:52 +00:00			`path "secret/foo" {`
			`capabilities = ["read"]`
			`mfa_methods = ["my_totp"]`
			`}`
			`EOF`
			```

			`1. Create a user. MFA works only for tokens that have identity information on`
			`them. Tokens created by logging in using auth methods will have the associated`
			identity information. Create a user in the `userpass` auth method and
			`authenticate against it:`


			```text
			`$ vault write auth/userpass/users/testuser \`
			`password=testpassword \`
Update mfa-totp.html.md (#4220) 2018-03-29 20:51:13 +00:00			`policies=totp-policy`
Standardize on "auth method" This removes all references I could find to: - credential provider - authentication backend - authentication provider - auth provider - auth backend in favor of the unified: - auth method 2017-09-13 01:48:52 +00:00			```

			`1. Create a login token:`

			```text
			`$ vault write auth/userpass/login/testuser \`
			`password=testpassword`

			`Key Value`
			`--- -----`
			`token 70f97438-e174-c03c-40fe-6bcdc1028d6c`
			`token_accessor a91d97f4-1c7d-6af3-e4bf-971f74f9fab9`
			`token_duration 768h`
			`token_renewable true`
Update mfa-totp.html.md (#4220) 2018-03-29 20:51:13 +00:00			`token_policies [default totp-policy]`
Standardize on "auth method" This removes all references I could find to: - credential provider - authentication backend - authentication provider - auth provider - auth backend in favor of the unified: - auth method 2017-09-13 01:48:52 +00:00			`token_meta_username "testuser"`
			```

			`Note that the CLI is not authenticated with the newly created token yet, we`
			did not call `vault login`, instead we used the login API to simply return a
			`token.`

			`1. Fetch the entity ID from the token. The caller identity is represented by the`
			`entity_id` property of the token:

			```text
Cleanup of deprecated commands in tests, docs (#3788) 2018-01-15 20:19:28 +00:00			`$ vault token lookup 70f97438-e174-c03c-40fe-6bcdc1028d6c`
Standardize on "auth method" This removes all references I could find to: - credential provider - authentication backend - authentication provider - auth provider - auth backend in favor of the unified: - auth method 2017-09-13 01:48:52 +00:00
			`Key Value`
			`--- -----`
			`accessor a91d97f4-1c7d-6af3-e4bf-971f74f9fab9`
			`creation_time 1502245243`
			`creation_ttl 2764800`
			`display_name userpass-testuser`
			`entity_id 307d6c16-6f5c-4ae7-46a9-2d153ffcbc63`
			`expire_time 2017-09-09T22:20:43.448543132-04:00`
			`explicit_max_ttl 0`
			`id 70f97438-e174-c03c-40fe-6bcdc1028d6c`
			`issue_time 2017-08-08T22:20:43.448543003-04:00`
			`meta map[username:testuser]`
			`num_uses 0`
			`orphan true`
			`path auth/userpass/login/testuser`
Update mfa-totp.html.md (#4220) 2018-03-29 20:51:13 +00:00			`policies [default totp-policy]`
Standardize on "auth method" This removes all references I could find to: - credential provider - authentication backend - authentication provider - auth provider - auth backend in favor of the unified: - auth method 2017-09-13 01:48:52 +00:00			`renewable true`
			`ttl 2764623`
			```

			`1. Generate TOTP method attached to the entity. This should be distributed to`
			`the intended user to be able to generate TOTP passcode:`

			```text
			`$ vault write sys/mfa/method/totp/my_totp/admin-generate \`
			`entity_id=307d6c16-6f5c-4ae7-46a9-2d153ffcbc63`

			`Key Value`
			`--- -----`
			`barcode iVBORw0KGgoAAAANSUhEUgAAAM...`
			`url otpauth://totp/Vault:307d6c16-6f5c-4ae7-46a9-2d153ffcbc63?algo...`
			```

			`Either the base64 encoded png barcode or the url should be given to the end`
			`user. This barcode/url can be loaded into Google Authenticator or a similar`
			`TOTP tool to generate codes.`

			`1. Login as the user:`

			```text
			`$ vault login 70f97438-e174-c03c-40fe-6bcdc1028d6c`
			```

			`1. Read the secret, specifying the mfa flag:`

			```text
			`$ vault read -mfa my_totp:146378 secret/foo`

			`Key Value`
			`--- -----`
			`refresh_interval 768h`
			`data which can only be read after MFA validation`
			```