Enable two-factor and multi-factor auth (2FA/MFA)
Tailscale relies on your existing identity provider to authenticate users. Any authentication settings from your identity provider are automatically used by Tailscale, including MFA.
To enable MFA for your domain, simply enable it from your identity provider. We have links to instructions for each provider below.
Gmail / Google Workspace / GSuite
Google provides in-depth instructions on how to enable multi-factor authentication (“2-Step Verification”) in their documentation.
Microsoft / Office365 / Active Directory (Azure AD)
Microsoft’s has documentation describing how to enable MFA for your whole domain or for individual users.
Okta admins can configure MFA for their entire organization or only for Tailscale by setting a “multifactor policy.”
OneLogin users can enable MFA for the domain by creating a new authentication factor, assigning it to a security policy, and assigning that policy to their users. OneLogin provides documentation on how to enable MFA.
Ping Identity’s documentation provides instructions on how to configure Policy Contracts to enable MFA for your network.
SAP Identity Manager
SAP’s blog provides instructions on how to enable SMS-based MFA from your Tenant settings.