Two factor authentication in grafana 8.3.0


I am using Grafana-8.3.0 version in my side.

OS- Linux 22.04

I want to install two-factor authentication like google authenticator

can any help here how we can do it?

The easiest option is to use OAuth/SAML authentication and point to OAuth/SAML IDP server, which has support for required MFA method (TOTP, HOTP, push, passwordless, RSA, …)

Hi @jangaraj

Thanks for the quick response

but one question is by this authentication it is asking first to user for login by authenticator like duo mobile or google authenticator?

and I am using opensource grafana so can It applicable


OAuth means need to follow the below authentication?

Yes, OSS Grafana has support for OAuth.

Whole login process then depends on used IDP server. Nothing stopping you to configure IDP to require token from RSA hardware key, then TOTP from TOTP app (Microsoft/Google Authenticator, Authy, …) and then to confirm push notification on the phone. You users will hate you, but it is possible.

IMHO the most user friendly and modern is passwordless MFA.

But this is not a Grafana topic, but topic about used IDP server. You just need to configure Grafana to use OAuth and that’s the whole config on the Grafana side.

1 Like

Hi @jangaraj

I am using grafana in my company environment so how can I generate OAuth url and token url ?

is it compulsory require to generate a new page like google login page?

OAuth url and token url, login page is provided by your IDP server. It is not compulsory, it is by design: your app will “outsource” authentification to IDP server and app trusts user identity provided by IDP (but with cryptographic validation).

Typical developer/user will be crying: I have cool app (reactive SPA, material design, …) and now I have to use ugly IDP login page. But again check doc of used IDP. They may allow to customize login page, so it may match app design (if that is a requirement).
Example - dev is using Vuetify, so Vuetity can be used in the login page (Keycloak is IDP in this particular case): GitHub - jangaraj/vuetify-keycloak-theme: Proof of concept: how to use Vuetify in Keycloak theme

@jangaraj Thanks for the update

In Grafana 8.3. we can take any OAuth authentication like google, github etc… ?

Yes, any OAuth 2 (eventually any with OpenID Connect, which another protocol on OAuth): List of OAuth providers - Wikipedia

Thanks for update @jangaraj