The key to your whole infrastructure
Access to Proxmox = the ability to start, delete and clone machines and reach the console of every one of them. Phishing or a leaked admin password is a catastrophic scenario. 2FA stops the attacker even if they know the password — because they don't have the second factor. It's a standard today and often a requirement (security policies, NIS2, cyber insurance).
TOTP, hardware keys and recovery keys
- TOTP — a code from an app (Google Authenticator, Aegis, 1Password). The simplest and free; each user adds it under Datacenter → Permissions → Two Factor.
- WebAuthn / FIDO2 — a hardware key (e.g. YubiKey) or biometrics. The highest phishing resistance — requires configuring the URL/origin in the 2FA settings.
- Recovery keys — one-time emergency codes in case you lose your phone/key. Generate and store them securely.
Not an "option" but a policy
2FA makes sense when it's mandatory for accounts with access. Proxmox lets you enforce TFA at the realm level (e.g. for the Active Directory or PVE realm) — then logging in without a second factor is impossible. Protect the root@pam account in particular: 2FA + a strong password, and use named AD accounts for day-to-day work.
Combine 2FA with AD integration and roles: identity from the domain, access via groups, and a mandatory second factor at the door.
So 2FA doesn't lock you out
- Recovery keys — generate them right away and store them offline; they're your lifeline if you lose a device.
- Two hardware factors for admins (e.g. two YubiKeys: primary + backup).
- Don't rely on SMS — Proxmox doesn't use it, and rightly so (SIM-swap). TOTP/FIDO2 are safer.
- A recovery procedure for a key admin losing their 2FA — written down and tested.
We'll secure access to your Proxmox
We'll roll out 2FA, realm enforcement, hardware keys and recovery procedures — consistent with your AD integration and security policy.
⚡ Free consultation→ Permissions and Active Directory