How to enable 2FA for administrator

Any idea how to enable two factor authentication with OTP app for Administrator ?

I enabled 2 factor authentication in role for ALL , but still administrator can login without two factor authentication .
Erpnext version 13.8

Has this ever been solved? We’re facing the same problem: 2FA enabled for role ‘ALL’ but administrator still being the only account that is not forced to show second factor. What else is necessary to enforce 2FA?

1 Like

as i understand 2 factor authentication in erpnext not works for administrator , i tried to enable 2FA for administrator but problem is not effected for administrator and still administrator can login without 2 factor authentication in erpnext , i test it with erpnext version 13 , i think it was v13.8.0

Thanks for your feedback! I’ve tried it with up to the latest revision of ERPnext and all with the same (negative) result so we can conclude that either both of us haven’t understood the concept or it simply does not work.

But can that be? The most powerful account being the only one you can’t secure through multi factor authentication? Hard to believe, isn’t it?

1 Like


Does anyone know if this is a known bug or would it make sense to register it as such?

1 Like


Is there any resolution / answer to this ? I am also wanting to implement 2FA and I was wondering about the implications : i.e. The administrator lost his/her phone and cannot log in. And a “normal”
system-user cannot access the “Administrator” account to rest passwords / 2FA so that the
Administrator account can be used again.

Then I came across this posting…

So I would also like to know : was this done intentionally or is this a bug?

Unlike a normal user, Administrator account is controlled server side and if you do lose the administrator password, there’s a command on the server side to reset administrator password.

As for 2FA for administrator, I think this is what is causing the limitation as unlike normal user, administrator role is not controlled from the frontend.

Thank you @flexy2ky for taking the time

What you are saying does make sense, but it is as @smw said … can this be ??? that the most
powerfull account in ERPNext can be accessed without 2FA ??

Also, according to the documentation, (as below ) Administrator is included in 2FA…

1 Like


After your commenr @flexy2ky, about Administrator being handled on the server-side, I thought of something …

I had trouble executing the command …
bench --site [sitename] set-config enable_two_factor_auth true
( as the 2FA documents specify )

It kept on telling me …
Please specify --site sitename

I then thought to actually check my site_config,json file
and the file was indeed updated, even though it was complaining about my command.

I find in the site_config.json file…
“enable_two_factor_auth”: true,

The fact that the error “Please specify --site sitename” keeps on coming up even though
it was executed, is a worry, but lets leave that aside for now …

It means that , I have doen all as specified but the docs…

I have also played arouind with various combinations of enabling.disabling 2FA
in the “All” and “Administrator” roles, but 2FA for the Administrator does not work.

1 Like

Dear all,

… to revive this old thread: has this ever been addressed? The docs still say that Administrator is affected by the 2FA settings but I still cannot get this activated in my 14.27.x installation. So is there a trick or at least a good explanation why this is the case?


This is still the case. Digged into the code and found out that of frappe has a hard-coded test in a method (two_factor_is_enabled_for_) on the “Administrator” user and returns false if that is the case. See:

Patching that file and removing that checks fixes this issue and when logging in with “Administrator”, a 2fa-token is requested. However, we should raise this issue and fix this properly. See: 2FA should not be disabled for Administrator in · Issue #24433 · frappe/frappe · GitHub