DocumentationRelease Notes
Documentation

Two-Factor Authentication Using TOTP

Suggest Edits

What is TOTP?

Time-based one-time password (TOTP), is a type of two-factor authentication method that generates a temporary, unique passcode based on the current time.

How is TOTP useful?

TOTP adds a strong, time-sensitive layer of security to user authentication:

  • Protects against password theft: Even if an attacker steals a user’s password, they still can’t log in without the TOTP code, which changes every 30 seconds.
  • Reduces phishing and replay attacks: Since each code is unique and short-lived, stolen or intercepted codes can’t be reused.
  • Works offline: The authenticator app doesn’t need internet access to generate codes, making it reliable even without a network connection.
  • Simple and low-cost: Users only need a smartphone app (like Google Authenticator or Microsoft Authenticator), with no special hardware required.
  • Widely supported: Compatible with many security systems, VPNs, and enterprise authentication solutions — including BeyondInsight and Password Safe.

Configure TOTP two-factor authentication

BeyondTrust supports two-factor authentication options using a time-based one-time password (TOTP). TOTP integrates with two-factor authentication apps. The end user must install one of these apps, such as Google Authenticator or Microsoft Authenticator, to register their device. As part of the configuration process, the user must register this two-factor app with BeyondTrust. The below sections detail how to configure TOTP two-factor authentication settings, apply TOTP authentication to user accounts in BeyondInsight, and how to register their authenticator app device with BeyondTrust.

Configure TOTP two-factor authentication settings

  1. Use a browser to sign in to your BeyondInsight/Password Safe URL.
    This URL is provided in the BeyondTrust welcome email and includes your site URL followed by /login.
  2. From the left menu, click .
    The Configuration page displays.
  3. Under Authentication Management, select Authentication Options.
  4. Under TOTP Two-Factor Authentication, set the following:
    • Skew Intervals: Considers how many prior tokens are valid and accepted. You can increase this value from the default if a lag is anticipated in the synchronization between the server and client.
    • Enable for new directory accounts
    • Enable for new local accounts
  5. Click Save.

Set TOTP two-factor authentication on user accounts

The type of two-factor authentication can be set on a user account when a new user is created or when editing an existing user account. You can enable TOTP two-factor authentication for all new users from Authentication Options > TOTP Two-Factor Authentication settings, as indicated in the above section.

  1. Use a browser to sign in to your BeyondInsight/Password Safe URL.
    This URL is provided in the BeyondTrust welcome email and includes your site URL followed by /login.
  2. From the left menu, click .
    The Configuration page displays.
  3. Under Role Based Access, select User Management.
    The User Management page displays.
  4. Select the Users tab.
  5. To create a new user, click Create New User.
  6. To edit an existing user, click > Edit User Details.
  7. At the bottom of the user account settings, select TOTP from the Two-Factor Authentication list.

Register an authenticator app

The first time a new user logs in, they must register their device with an authenticator app, as follows.

  1. Download an authenticator app.
  2. Scan the QR code or manually enter the alphanumeric code into the authenticator app. Once the code is detected, the app generates a 6-digit authenticator code.
  3. Enter the code into the Authenticator Code field, and then click Continue. This activates the user's device.
  4. Click Continue, and then enter login credentials.
  5. Enter 6-digit code again.
  6. Click Submit.

ℹ️

Note

The authenticator app generates a new code roughly every 30 seconds.

Unregister an authenticator application device

Administrators can unregister a device by removing it from a user account. Users can remove a device from their own account only.

Steps for administrators

  1. Use a browser to sign in to your BeyondInsight/Password Safe URL.
    This URL is provided in the BeyondTrust welcome email and includes your site URL followed by /login.
  2. From the left menu, click .
    The Configuration page displays.
  3. Under Role Based Access, select User Management.
    The User Management page displays.
  4. Select the Users tab.
  5. To edit an existing user, click > Edit User Details.
  6. Scroll to the bottom of the user's details.
  7. Under Two-Factor Authentication, click Remove Device.

Steps for users

  1. In the top-right corner of the console, click > Account Settings.
    The Account Settings page displays.
  2. Under My Account, select Two-Factor Authentication.
  3. Click Replace Authenticator App.
  4. To register the app again, click Reconfigure Authenticator App.

ℹ️

Note

Users may not enable both RADIUS and TOTP.  Only one two-factor authentication type may be selected.

Updated 16 days ago

©2003-2025 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.