# MFA Configuration

To enable multi-factor authentication (MFA), you must set up certain configurations..

In systems that involve user authentication and data protection, encryption and salting mechanisms are critical to ensure that user authentication processes are both secure and trustworthy.

* **Secret**: A secret key used for encryption.
* **Salt**: A random value to enhance security.

These elements strengthen the MFA process to ensure a secure and reliable user authentication.

The following parameters are available for configuring MFA in Connectware.

| Parameter                             | Description                                                                                                                                 |
| ------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------- |
| `CYBUS_MFA_ENABLED`                   | Enables the MFA feature when set to `true`. Disables MFA when set to `false`.                                                               |
| `CYBUS_MFA_ENCRYPTION_SECRET`         | The key used for MFA encryption.                                                                                                            |
| `CYBUS_MFA_ENCRYPTION_SALT`           | Additional random element used in the MFA encryption process.                                                                               |
| `CYBUS_MFA_MAX_INVALID_OTPS_PER_USER` | Optional: Specifies the maximum number of incorrect OTPs a user can input during MFA login before their account is temporarily deactivated. |
| `CYBUS_MFA_BAN_DURATION_MINUTES`      | Optional: Defines the duration (in minutes) of temporary account deactivation after multiple failed OTP attempts during MFA login.          |

{% hint style="warning" %}
Keep in mind that the combination of **CYBUS\_MFA\_ENCRYPTION\_SECRET** and **CYBUS\_MFA\_ENCRYPTION\_SALT** ensures the cryptographic robustness of 2FA tokens, making them both safe and distinct. If these values are compromised, it would expose the system to potential unauthorized access and breaches. By modifying these values, previously generated 2FA secrets became undecipherable. As a consequence, users with 2FA enabled would be unable to log in anymore.
{% endhint %}

Example configuration:

{% code lineNumbers="true" %}

```yaml
CYBUS_MFA_ENABLED=true
CYBUS_MFA_ENCRYPTION_SECRET=18473274-5073-11ee-be56-0242ac120002
CYBUS_MFA_ENCRYPTION_SALT=229c75c2-5073-11ee-be56-0242ac120002
```

{% endcode %}

#### Related Links

[Multi-Factor Authentication](/1-8-0/documentation/user-management/multi-factor-authentication.md)


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.cybus.io/1-8-0/documentation/configuration/mfa-configuration.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.