.. _user/mfa:

#################
MFA Configuration
#################

When configuring Multi-Factor Authentication (MFA) features, especially in systems that involve user authentication and data protection,
encryption and salting mechanisms are critical. Two environment values are required: a secret and a salt. Both work in tandem to maintain
the integrity, confidentiality, and robustness of the MFA feature, ensuring that users' authentication processes are both secure and trustworthy.


- **CYBUS_MFA_ENCRYPTION_SECRET**: the key for encrypting
- **CYBUS_MFA_ENCRYPTION_SALT**: the salt as extra layer of randomness

.. note::

 Kepp in mind that the combination of **CYBUS_MFA_ENCRYPTION_SECRET** and **CYBUS_MFA_ENCRYPTION_SALT** ensures the cryptographic robustness
 of 2FA tokens, making them both safe and distinct. If these values are compromised, it would expose the system to potential unauthorized access
 and breaches. 
 By modifying these values, previously generated 2FA secrets became undecipherable. As a consequence, users with 2FA enabled would be unable
 to log in anymore. 
  
Example configuration:

.. code-block:: bash

  CYBUS_MFA_ENCRYPTION_SECRET=18473274-5073-11ee-be56-0242ac120002
  CYBUS_MFA_ENCRYPTION_SALT=229c75c2-5073-11ee-be56-0242ac120002