Proxmox Pulse
Networking, VLANs & Security Hardening

Proxmox Two-Factor Authentication: TOTP and WebAuthn Setup

Enable TOTP and WebAuthn 2FA on Proxmox VE to protect your dashboard from credential attacks — step-by-step setup, enforcement, and recovery guide.

Proxmox Pulse Proxmox Pulse
10 min read
proxmox security two-factor-authentication totp webauthn
Hardware security key and smartphone with authentication codes in front of server room.
On this page

Locking down your Proxmox VE dashboard with a strong password is a good start — but passwords alone aren't enough in 2026. A single phished credential, brute-forced API token, or reused password from another breach can hand an attacker full control of every VM on your node. Two-factor authentication (2FA) is the single highest-impact change you can make to your Proxmox security posture after the initial install.

Proxmox VE ships with built-in support for both TOTP (Time-based One-Time Passwords) and WebAuthn (hardware security keys and passkeys). Neither requires third-party software on the server — everything runs natively through the web UI. This guide walks you through enabling both methods, enforcing 2FA for all users, and recovering access if you ever lose your authenticator.

Why 2FA Is Non-Negotiable for Proxmox

Your Proxmox web interface runs on port 8006 and accepts credentials directly over HTTPS. If that port is reachable from the internet — or even through a VPN or reverse proxy — it's a target.

The risks are concrete:

  • Credential stuffing — automated bots test billions of leaked username/password pairs daily
  • Brute force — the root@pam account is a known target; without 2FA, fail2ban is your only line of defense
  • Session hijacking — tokens compromised from other services get tried against Proxmox
  • Insider threats — a second factor limits damage from a guessed or shared password

Even if your Proxmox node never touches the public internet, 2FA is worth enabling. A single compromised device on your LAN is all it takes.

Proxmox 2FA Options: TOTP vs WebAuthn

Proxmox VE 7+ supports two second-factor methods natively:

TOTP (Time-based One-Time Passwords)

  • Works with any standard authenticator app — Aegis, Google Authenticator, Authy, Bitwarden
  • Generates a 6-digit code that rotates every 30 seconds
  • No hardware required; a smartphone is sufficient
  • Recovery codes generated at enrollment time

WebAuthn

  • Works with hardware security keys (YubiKey, Nitrokey) and platform authenticators (Windows Hello, Touch ID, passkeys)
  • Phishing-resistant by design — the credential is bound to the exact origin URL
  • Requires browser WebAuthn support (all modern browsers qualify)
  • Best for high-security environments or users who travel with a hardware key

For most homelabs, TOTP is the right starting point. WebAuthn is worth adding if you have a YubiKey or want true phishing resistance beyond what TOTP provides.

Prerequisites

Before starting, confirm you have:

  • Proxmox VE 7.0 or later (VE 8/9 recommended — the 2FA UI is more polished)
  • Access to the web UI at https://your-proxmox-ip:8006
  • A login with root@pam or a user holding Sys.Modify on /
  • A TOTP app installed on your phone (Aegis on Android is excellent; any RFC 6238-compliant app works)

For WebAuthn you'll additionally need a WebAuthn-compatible hardware key or a platform authenticator, plus a working HTTPS connection with a consistent hostname.

Setting Up TOTP Authentication

TOTP is the easiest 2FA method to enable and works on any device with an authenticator app.

Step 1: Open the Two-Factor Panel

  1. Log into the Proxmox web UI
  2. Click Datacenter in the left panel
  3. Navigate to Permissions → Two Factor

This panel lets you configure global WebAuthn settings and see which users have factors enrolled.

Step 2: Enroll TOTP for Your Account

  1. Click your username in the top-right corner, then select My Settings
  2. Under Two Factor Authentication, click Add
  3. Select TOTP from the method dropdown
  4. A QR code appears — scan it with your authenticator app
  5. Enter the 6-digit code your app shows to verify the enrollment
  6. Copy your recovery keys and store them offline — you will need these if you lose your phone

From this point on, every login for that account will prompt for a TOTP code after the password step.

Step 3: Test Before Moving On

Log out completely, then log back in. After entering your password you should see a second prompt for a one-time password. Enter the code from your app.

If the code is rejected, check that your phone's clock is synchronized — TOTP codes fail if the clock drifts more than 30–90 seconds. On the Proxmox host you can confirm NTP sync with:

timedatectl status

Look for NTP service: active and a synchronized status. Clock drift on the server side causes the same problem in reverse.

Setting Up WebAuthn

WebAuthn credentials are origin-bound, meaning a phishing site can't steal your key even if you're tricked into visiting it. That makes it meaningfully stronger than TOTP for anyone handling sensitive infrastructure.

Step 1: Configure WebAuthn at the Datacenter Level

Before enrolling any keys you must set the relying party parameters:

  1. Go to Datacenter → Permissions → Two Factor
  2. Scroll to the WebAuthn section
  3. Fill in:
    • Relying Party Name: A human-readable label, e.g. Proxmox Homelab
    • ID: The hostname used to reach Proxmox, e.g. proxmox.local
    • Origin: The full HTTPS URL including port, e.g. https://proxmox.local:8006
  4. Click Apply
# Example values
rpname: "Proxmox Homelab"
rpid: "proxmox.local"
origin: "https://proxmox.local:8006"

The rpid and origin must exactly match the URL you use to access Proxmox. If you change the hostname later, existing WebAuthn credentials will stop working.

Step 2: Enroll a Security Key

  1. Open My Settings from the top-right menu
  2. Under Two Factor Authentication, click Add
  3. Select Security Key (WebAuthn)
  4. Give the key a descriptive name, e.g. YubiKey 5 NFC
  5. Click Register — your browser prompts you to interact with the key (touch it, use Touch ID, etc.)
  6. Once registered, the key appears in your 2FA list

Enroll at least two keys if you have them — your primary and one backup. A lost hardware key with no backup means falling back to recovery options.

Step 3: Test the WebAuthn Login

Log out and back in. After the password step, your browser will prompt you to activate your security key. Touch it when the browser requests interaction.

For platform authenticators like Windows Hello you'll be prompted for your PIN or biometrics instead of a physical tap.

Enforcing 2FA Across All Users

Enabling 2FA for your own account is good. Requiring it for everyone who can touch your hypervisor is better.

Proxmox VE 8+ introduced a Two-Factor Policy setting at the datacenter level that blocks dashboard access for any user without a factor enrolled.

Setting the Datacenter Policy

  1. Go to Datacenter → Options
  2. Find the Two-Factor Authentication field
  3. Set it to Required
  4. Click OK

Users without 2FA enrolled will be prompted to set it up on their next login and cannot proceed until they do.

Important: Enroll 2FA for root@pam before enabling this policy. Enabling it first locks out any account that hasn't enrolled — including your own.

Checking Per-User Enrollment Status

From the web UI, Datacenter → Permissions → Two Factor lists all enrolled factors. From the CLI:

# List all Proxmox users
pveum user list

Inspect the raw TFA config (contains hashed secrets — handle with care)

cat /etc/pve/priv/tfa.cfg

Never share or expose tfa.cfg — it contains the TOTP secrets and WebAuthn credential data for all users.

API Tokens and 2FA

API tokens (user@pam!tokenname) don't support 2FA by design — they're meant for automation. This means token hygiene matters even more once 2FA is enforced for interactive logins.

Best practices for API tokens:

  • Grant tokens minimal permissions — avoid Administrator or PVEAdmin roles
  • Enable privilege separation so a token can't exceed its own grants
  • Store tokens in environment variables or a secrets manager, never in plaintext config files
  • Rotate tokens periodically and audit usage in /var/log/pve/tasks/
# Create a scoped token with privilege separation enabled
pveum user token add automation@pve backup-token --privsep 1

Grant only the specific permission needed

pveum acl modify /storage/backups
--user automation@pve!backup-token
--role PVEDatastoreUser

With --privsep 1 active, the token can only use permissions explicitly assigned to it — it cannot inherit everything from the parent user account.

Recovery: Regaining Access After Losing Your Authenticator

This is the scenario most people worry about. Proxmox gives you three recovery paths in order of preference.

Option 1: Use Your Recovery Keys

When you enrolled TOTP, Proxmox generated single-use recovery codes. If you saved them:

  1. On the 2FA login prompt, click Use recovery key
  2. Enter one of your saved codes
  3. Once inside, immediately re-enroll a new TOTP device and generate fresh recovery codes

Store recovery codes in a password manager or printed in a physically secure location — not in the same place as the device you're recovering from.

Option 2: Remove 2FA via CLI

If you have SSH or console access to the node:

# Remove all 2FA factors for a user
pveum user tfa delete root@pam

After running this, the account can log in with password only. Re-enroll immediately.

Option 3: Edit the TFA Config Directly

As a last resort with physical console access:

# Back up first
cp /etc/pve/priv/tfa.cfg /root/tfa.cfg.bak

Edit and remove the affected user's entry

nano /etc/pve/priv/tfa.cfg

The pveum CLI method is safer and should be tried before manually editing config files.

Additional Security Layers to Stack with 2FA

Two-factor authentication is most effective as part of a layered approach:

Restrict port 8006 by source IP

Even with 2FA enabled, there's no reason to leave the management interface open to all subnets. Scope access using the Proxmox firewall:

# Allow web UI access only from your management network
pvesh create /nodes/pve/firewall/rules \
  --action ACCEPT --type in --proto tcp \
  --dport 8006 --source 192.168.1.0/24

pvesh create /nodes/pve/firewall/rules
--action DROP --type in --proto tcp --dport 8006

Use a dedicated non-root daily account

Create a Proxmox-realm admin account for routine work and reserve root@pam for break-glass access only:

pveum user add admin@pve --comment "Daily admin"
pveum acl modify / --user admin@pve --role Administrator

Enroll 2FA on the daily account and stop interactive root logins.

Monitor failed logins

# Tail failed authentication attempts in the proxy log
grep -i "authentication failure" /var/log/pveproxy/access.log | tail -20

Consider shipping this log to a central SIEM or at minimum checking it weekly.

Conclusion

Two-factor authentication is one of the highest-value security changes you can make to a Proxmox VE installation. TOTP takes five minutes to set up and works with any authenticator app — there's no valid reason to leave it disabled. WebAuthn raises the bar further with phishing-resistant credentials for anyone handling production infrastructure.

The combination of 2FA, SSH key authentication, scoped API tokens, and Proxmox firewall rules closes the most common attack paths against the management plane. Enable 2FA today, save your recovery codes somewhere physically secure, then layer on the remaining controls. Your future self will appreciate it the next time a password shows up in a breach notification.

Share
Proxmox Pulse

Written by

Proxmox Pulse

Sysadmin-driven guides for getting the most out of Proxmox VE in production and homelab environments.

Related Articles

View all →