Support for Two-Factor Authentication (2FA) in PRTG On-Premise
As an IT Infrastructure Manager responsible for security and compliance, I want to enforce Two-Factor Authentication (2FA) for all users accessing the PRTG On-Premise web interface,
At the moment, PRTG On-Premise only supports password-based authentication. Given today’s security requirements and compliance standards, 2FA has become essential for protecting administrative interfaces and monitoring systems. Since PRTG contains critical infrastructure information, enhanced login security is necessary in many environments.
Requested Feature:
Please add support for Two-Factor Authentication (2FA) for PRTG On-Premise, ideally with multiple methods such as:
- TOTP apps (Google Authenticator, Microsoft Authenticator, etc.)
- Hardware tokens (FIDO2, YubiKey)
- SMS or email codes (optional)
Use Case / Reasoning:
- Strengthens the overall security of the monitoring environment
- Helps meet modern cybersecurity and compliance requirements
- Prevents unauthorized access even if passwords are compromised
- Aligns PRTG On-Premise with current industry standards for authentication
Support for 2FA would significantly enhance the security posture of PRTG installations, especially in larger or regulated environments.
Yannik
shared this idea
Hi Yannik,
Thank you again for submitting your idea to Paessler. We truly appreciate you taking the time to share your feedback.
Please note that MFA is already available through SSO (Okta and Microsoft Entra ID) options:
How can I enable Microsoft Entra ID multifactor authentication? | Paessler Knowledge Base
How can I enable Okta multifactor authentication? | Paessler Knowledge Base
Beside that, the following workarounds are possible:
Since PRTG supports SAML 2.0, you can effectively use any compatible Identity Provider to enforce MFA:
- Keycloak (Open Source): Host your own free Identity Provider. It connects to your Active Directory and forces users to use TOTP (Google Authenticator) or hardware keys before passing them to PRTG.
- AD FS (Active Directory Federation Services): Use your existing Windows Server infrastructure to act as the SAML provider. You can configure AD FS to require certificates or smart cards.
- Duo SSO: Use Duo's native Single Sign-On feature as the SAML provider. This adds the "Duo Push" requirement directly to the PRTG login flow.
- Reverse Proxy (Authelia/Authentik): Place PRTG behind a proxy (like Nginx) paired with a tool like Authelia. The proxy intercepts traffic and forces an MFA check before the user can even see the PRTG login screen.
Best regards,
The Paessler Product Team