# MFA Configuration

To enable multi-factor authentication (MFA), you must set up certain configurations..

In systems that involve user authentication and data protection, encryption and salting mechanisms are critical to ensure that user authentication processes are both secure and trustworthy.

* **Secret**: A secret key used for encryption.
* **Salt**: A random value to enhance security.

These elements strengthen the MFA process to ensure a secure and reliable user authentication.

The following parameters are available for configuring MFA in Connectware.

| Parameter                             | Description                                                                                                                                 |
| ------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------- |
| `CYBUS_MFA_ENABLED`                   | Enables the MFA feature when set to `true`. Disables MFA when set to `false`.                                                               |
| `CYBUS_MFA_ENCRYPTION_SECRET`         | The key used for MFA encryption.                                                                                                            |
| `CYBUS_MFA_ENCRYPTION_SALT`           | Additional random element used in the MFA encryption process.                                                                               |
| `CYBUS_MFA_MAX_INVALID_OTPS_PER_USER` | Optional: Specifies the maximum number of incorrect OTPs a user can input during MFA login before their account is temporarily deactivated. |
| `CYBUS_MFA_BAN_DURATION_MINUTES`      | Optional: Defines the duration (in minutes) of temporary account deactivation after multiple failed OTP attempts during MFA login.          |

{% hint style="warning" %}
Keep in mind that the combination of **CYBUS\_MFA\_ENCRYPTION\_SECRET** and **CYBUS\_MFA\_ENCRYPTION\_SALT** ensures the cryptographic robustness of 2FA tokens, making them both safe and distinct. If these values are compromised, it would expose the system to potential unauthorized access and breaches. By modifying these values, previously generated 2FA secrets became undecipherable. As a consequence, users with 2FA enabled would be unable to log in anymore.
{% endhint %}

Example configuration:

{% code lineNumbers="true" %}

```yaml
CYBUS_MFA_ENABLED=true
CYBUS_MFA_ENCRYPTION_SECRET=18473274-5073-11ee-be56-0242ac120002
CYBUS_MFA_ENCRYPTION_SALT=229c75c2-5073-11ee-be56-0242ac120002
```

{% endcode %}

#### Related Links

[Multi-Factor Authentication](https://docs.cybus.io/1-7-3/documentation/user-management/multi-factor-authentication)