Skip to main content
Skip table of contents

Multi-factor authentication for local accounts overview

Multi-factor authentication (MFA) adds an extra layer of security to your Nexthink tenant by requiring local users to provide multiple forms of identification before granting access.

MFA includes the following components:

  • Something the user knows, such as a password.

  • A Time-Based One-Time Password (TOTP) that is generated by an application, such as Google Authenticator or Microsoft Authenticator.

The user must use both components during login.

Enable MFA to significantly enhance protection against unauthorized access, data breaches, and identity theft. Use MFA to reduce the risk of credential theft, phishing attacks, and brute force attacks and safeguard user accounts and sensitive information on your platform. Overall, MFA is a crucial security feature that reinforces the integrity of your Nexthink tenant and ensures a safer user experience.

You must upgrade to at least version to use MFA.

Use MFA for local accounts

Enable or disable MFA on your appliance

MFA is disabled by default. Perform the following steps to enable or disable it:

  1. Log in to the Command-line Interface (CLI) of the Portal appliance.

  2. Optional step. If the Portal has no configuration file yet, that is, if portal.conf does not exist in folder /var/nexthink/portal/conf, create it by copying the defaults from the sample configuration file:

    sudo -u nxportal cp /var/nexthink/portal/conf/portal.conf.sample \
  3. Edit the Portal configuration file:

    sudo vi /var/nexthink/portal/conf/portal.conf
  4. Type in the following line to enable MFA; replace true with false to disable it:

    globalconfig.feature.totp-enabled = true
  5. Save your changes and exit:

  6. Restart the Portal to apply your settings:

    sudo systemctl restart nxportal

Since TOTPs rely on time, the following steps may also need to be performed:

  1. Log in to the Web Console as administrator.

  2. Select the Appliance tab at the top of the window.

  3. Select the section Network parameters from the left-hand side menu.

  4. Choose the management account with following steps under NTP on CentOS 7 or Chrony on Oracle Linux 8:

    1. On CentOS 7 select the NTP or on Oracle Linux 8 select the Chrony option.

    2. Provide one or several valid Time servers, for example, time servers provided by

    3. Select SAVE CHANGES.

If MFA is enabled for local accounts on your tenant, you may also have to perform one of the following procedures.

MFA is not set up for the currently active account

  1. Install an authenticator application on your mobile device or on a computer that supports TOTPs, for example, Google Authenticator, Microsoft Authenticator, 1Password and so on.

  2. Scan the QR code with your authenticator application.

  3. Enter the code provided by your authenticator application.

  4. Select Continue.

  5. Select Finish when the code is validated and the setup is complete.

You can skip this procedure three times.

MFA is already set up for the currently active account

  1. Enter the code provided by your authenticator application.

  2. Select Sign in.

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.