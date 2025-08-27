Version: 17.x

Teleport supports requiring additional multi-factor authentication checks when starting new:

SSH connections (a single tsh ssh call, Web UI SSH session or Teleport Connect SSH session)

call, Web UI SSH session or Teleport Connect SSH session) Kubernetes sessions (a single kubectl call)

call) Database sessions (a single tsh db connect call)

call) Application sessions

Desktop sessions

This is an advanced security feature that protects users against compromises of their on-disk Teleport certificates.

note In addition to per-session MFA, enable login MFA in your SSO provider and/or for all local Teleport users to improve security.

A running Teleport cluster. If you want to get started with Teleport, sign up for a free trial or set up a demo environment.

The tctl and tsh clients. Installing tctl and tsh clients Determine the version of your Teleport cluster. The tctl and tsh clients must be at most one major version behind your Teleport cluster version. Send a GET request to the Proxy Service at /v1/webapi/find and use a JSON query tool to obtain your cluster version: TELEPORT_DOMAIN= example.teleport.com:443 TELEPORT_VERSION="$(curl -s https://$TELEPORT_DOMAIN/v1/webapi/find | jq -r '.server_version')" Follow the instructions for your platform to install tctl and tsh clients: Mac Windows - Powershell Linux Download the signed macOS .pkg installer for Teleport, which includes the tctl and tsh clients: curl -O https://cdn.teleport.dev/teleport-${TELEPORT_VERSION?}.pkg In Finder double-click the pkg file to begin installation. danger Using Homebrew to install Teleport is not supported. The Teleport package in Homebrew is not maintained by Teleport and we can't guarantee its reliability or security. curl.exe -O https://cdn.teleport.dev/teleport-v${TELEPORT_VERSION?}-windows-amd64-bin.zip All of the Teleport binaries in Linux installations include the tctl and tsh clients. For more options (including RPM/DEB packages and downloads for i386/ARM/ARM64) see our installation page. curl -O https://cdn.teleport.dev/teleport-v${TELEPORT_VERSION?}-linux-amd64-bin.tar.gz tar -xzf teleport-v${TELEPORT_VERSION?}-linux-amd64-bin.tar.gz cd teleport sudo ./install



To check that you can connect to your Teleport cluster, sign in with tsh login , then verify that you can run tctl commands using your current credentials. For example, run the following command, assigning teleport.example.com to the domain name of the Teleport Proxy Service in your cluster and [email protected] teleport.example.com --user= [email protected] tsh login --proxy=--user= tctl status tctl status command, you can use your current credentials to run subsequent tctl commands from your workstation. If you host your own Teleport cluster, you can also run tctl commands on the computer that hosts the Teleport Auth Service for full permissions.

Hardware device for multi-factor authentication, such as YubiKey or SoloKey

A Web browser with WebAuthn support (if using SSH or desktop sessions from the Teleport Web UI).

Per-session MFA with FIPS Teleport FIPS builds disable local users. To configure WebAuthn in order to use per-session MFA with FIPS builds, provide the following in your teleport.yaml : teleport: auth_service: local_auth: false second_factor: "webauthn" webauthn: rp_id: teleport.example.com

Per-session MFA can be enforced cluster-wide or only for some specific roles.

To enforce MFA checks for all roles, edit your cluster authentication configuration.

Edit your cluster_auth_preference resource:

tctl edit cap

Ensure that the resource contains the following content:

kind: cluster_auth_preference metadata: name: cluster-auth-preference spec: require_session_mfa: true version: v2

Apply your changes by saving and closing the file in your editor.

To enforce MFA checks for a specific role, update the role to contain:

kind: role version: v7 metadata: name: example-role-with-mfa spec: options: require_session_mfa: true allow: ... deny: ...

Role-specific enforcement only applies when accessing resources matching a role's allow section.

Let's walk through an example of setting up per-session MFA checks for roles.

Jerry is an engineer with access to the company infrastructure. The infrastructure is split into development and production environments. Security engineer Olga wants to enforce MFA checks for accessing production servers. Development servers don't require this to reduce engineers' friction.

Olga defines two Teleport roles: access-dev and access-prod :

kind: role version: v7 metadata: name: access-dev spec: allow: node_labels: env: dev logins: - jerry kind: role version: v7 metadata: name: access-prod spec: options: require_session_mfa: true allow: node_labels: env: prod logins: - jerry deny: {}

Olga then assigns both roles to all engineers, including Jerry.

When Jerry logs into node dev1.example.com (with label env: dev as login jerry ), nothing special happens:

But when Jerry logs into node rod3.example.com (with label env: prod as login jerry ), he gets prompted for an MFA check:

OTP If you are using tsh in a constrained environment, you can tell it to use OTP by doing tsh --mfa-mode=otp ssh prod3.example.com . OTP can only be used with per-session MFA when using tsh or Teleport Connect to establish connections. A hardware MFA key is required for using per-session MFA with Teleport's Web UI.

If per-session MFA was enabled cluster-wide, Jerry would be prompted for MFA even when logging into dev1.example.com .

Per-session MFA for Database Access The Teleport Database Service supports per-connection MFA. When Jerry connects to the database prod-mysql-instance (with label env: prod ), he gets prompted for an MFA check for each tsh db connect or tsh proxy db call: tsh db connect prod-mysql-instance

Jerry can also execute a query against multiple databases with a single MFA check using the tsh db exec command: tsh db exec "select 1" --labels env=prod --db-user teleport-user --output-dir=logs Searching databases ... Found 2 database(s):

Name Description Protocol Labels --------------------- ----------- -------- -------- prod-mysql-instance-1 mysql env=prod prod-mysql-instance-2 mysql env=prod

Do you want to proceed with 2 database(s)? [y/N]: y Executing command for "prod-mysql-instance-1". Output will be saved at "logs/prod-mysql-instance-1.output". MFA is required to access Database "prod-mysql-instance-1" Tap any security key Detected security key tap Executing command for "prod-mysql-instance-2". Output will be saved at "logs/prod-mysql-instance-2.output".

Summary: 2 of 2 succeeded. Summary is saved at "logs/summary.json". Note that each MFA check remains valid for up to 5 minutes. After the 5-minutes window, a new MFA check will be requested for new connections.

Current limitations for this feature are: