Security Settings
Configure authentication and security policies at Admin > Settings > Security.
Two-Factor Authentication Enforcement
Control whether two-factor authentication (2FA) is required:
| Option | Description |
|---|---|
| Disabled | 2FA is optional for all users |
| Admins Only | Administrators are required to enable 2FA before accessing admin features |
| All Users | Every user must enable 2FA before using the panel |
When enforcement is enabled, users who have not yet configured 2FA will be prompted to set it up on their next login.
Password Requirements
| Setting | Description |
|---|---|
| Minimum Length | The minimum number of characters required for user passwords |
Session Settings
| Setting | Description |
|---|---|
| Session Lifetime | Maximum duration a session remains valid (up to 7 days) |
| Session Timeout | Duration of inactivity before a session expires |
Brute Force Protection
Protect against credential stuffing and brute force attacks:
| Setting | Description |
|---|---|
| Max Failed Attempts | Number of consecutive failed login attempts before lockout |
| Lockout Duration | How long the account is locked after exceeding the failed attempt limit |
Two-Factor Authentication Methods
BadgerPanel supports multiple 2FA methods that users can choose from:
| Method | Description |
|---|---|
| TOTP | Time-based one-time passwords using authenticator apps (Google Authenticator, Authy, etc.) |
| WebAuthn / FIDO2 | Hardware security keys and platform authenticators (YubiKey, Touch ID, Windows Hello) |
| Backup Codes | One-time-use recovery codes generated when 2FA is first enabled |
Users can enable one or more methods from their account settings. Backup codes are always generated as a fallback when any 2FA method is activated.
Admin 2FA Override
If a user is locked out of their account due to lost 2FA credentials or a lost security key, an administrator can disable 2FA for that user from Admin > Users > [user] > Security. This removes all 2FA methods and allows the user to log in with just their password. The user can then re-enable 2FA from their account settings.