// Security// 2FA · TOTP · FIDO2

Two-factor authentication (2FA) in Proxmox

A password alone isn't enough — the Proxmox UI and API give full control over your infrastructure, making them the number-one target for an attacker. A second factor (2FA) means a stolen password isn't enough. Proxmox has 2FA built in: TOTP, FIDO2/WebAuthn hardware keys and recovery keys — no extra systems needed.

// Table of Contents
  1. The key to your whole infrastructure
  2. TOTP, hardware keys and recovery keys
  3. Not an "option" but a policy
  4. So 2FA doesn't lock you out
// 01 · Why 2FA

The key to your whole infrastructure

Access to Proxmox = the ability to start, delete and clone machines and reach the console of every one of them. Phishing or a leaked admin password is a catastrophic scenario. 2FA stops the attacker even if they know the password — because they don't have the second factor. It's a standard today and often a requirement (security policies, NIS2, cyber insurance).

// 02 · Methods in Proxmox

TOTP, hardware keys and recovery keys

// 03 · Enforcing 2FA

Not an "option" but a policy

2FA makes sense when it's mandatory for accounts with access. Proxmox lets you enforce TFA at the realm level (e.g. for the Active Directory or PVE realm) — then logging in without a second factor is impossible. Protect the root@pam account in particular: 2FA + a strong password, and use named AD accounts for day-to-day work.

💡

Combine 2FA with AD integration and roles: identity from the domain, access via groups, and a mandatory second factor at the door.

// 04 · Best practices

So 2FA doesn't lock you out

We'll secure access to your Proxmox

We'll roll out 2FA, realm enforcement, hardware keys and recovery procedures — consistent with your AD integration and security policy.

⚡ Free consultation→ Permissions and Active Directory