Authentication options

Teleport authenticates users either via the Proxy Service or with an identity provider via authentication connectors.

Local (no authentication connector)

Local authentication is used to authenticate against a local Teleport user database. This database is managed by the tctl users command. Teleport also supports multi-factor authentication (MFA) for the local connector. There are several possible values (types) of MFA:

• otp is the default. It implements the TOTP standard. You can use Google Authenticator, Authy or any other TOTP client.
• webauthn implements the Web Authentication standard for utilizing second factor authenticators and hardware devices. You can use YubiKeys, SoloKeys or any other authenticator that implements FIDO2 or FIDO U2F standards. See our Second Factor - WebAuthn guide for detailed instructions on setting up WebAuthn for Teleport.
• on enables both TOTP and WebAuthn, and all local users are required to have at least one MFA device registered.
• optional enables both TOTP and WebAuthn but makes it optional for users. Local users that register a MFA device will be prompted for it during login. This option is useful when you need to gradually enable MFA usage before switching the value to on.
• off turns off multi-factor authentication.

auth_service:
  authentication:
    type: local
    second_factor: off

tctl get cap > cap.yaml

kind: cluster_auth_preference
metadata:
  name: cluster-auth-preference
spec:
  type: local
  second_factor: "on"
  webauthn:
    rp_id: example.teleport.sh
version: v2

tctl create -f cap.yaml

tsh login --proxy=myinstance.teleport.sh
tctl status

tctl get cap > cap.yaml

kind: cluster_auth_preference
metadata:
  name: cluster-auth-preference
spec:
  type: local
  second_factor: "on"
  webauthn:
    rp_id: example.teleport.sh
version: v2

tctl create -f cap.yaml

Local user login failure rules

A local user is blocked from attempting logins if, within a 30 minute window, a local user has multiple:

• failed login attempts or
• failed password resets

The block lasts 20 minutes. After the block has expired the user may attempt to log in again.

Overriding a block is available to users with rights to maintain user resources, available in the built-in editor role. To turn off a block, update the user entry, following these steps.

Retrieve the user entry so you can edit the status:

tctl get users/username > user.yaml

The file user.yaml should resemble the following:

kind: user
metadata:
  name: jeff
spec:
  roles:
  - access
  status:
    is_locked: true
    lock_expires: "2023-04-22T01:55:02.228158166Z"
    locked_message: user has exceeded maximum failed login attempts
version: v2

Update the is_locked field under status to false and save the file. Now update the user entry with the command below:

tctl create -f user.yaml

The user will now be unblocked from login attempts and can attempt to authenticate again.

Authentication connectors

kind: cluster_auth_preference
metadata:
  name: cluster-auth-preference
spec:
  type: github
version: v2

kind: cluster_auth_preference
metadata:
  name: cluster-auth-preference
spec:
  type: github
version: v2

kind: cluster_auth_preference
metadata:
  name: cluster-auth-preference
spec:
  type: saml
version: v2

kind: cluster_auth_preference
metadata:
  name: cluster-auth-preference
spec:
  type: oidc
version: v2

auth_service:
  authentication:
    type: github

auth_service:
  authentication:
    type: saml

auth_service:
  authentication:
    type: oidc

auth_service:
  authentication:
    type: github