Skip to Content

Access Keyword 2FA explained

How to enable/disable Access Keyword 2FA (Two-factor Authentication) in Ezeelogin?


Overview: This article provides step by step instructions for Ezeelogin gateway users to enable or disable and reset access keyword two-factor authentication (2FA). It also covers methods to disable access keyword 2FA through  GUI and via backend.


Access keyword is a two-factor mechanism used for securing the Ezeelogin GUI and the backend(ezsh). Ideally, it would be phrases that can be easily remembered. They should never be written down and should be stored only in your memory. 

1. How to enable Access Keyword 2FA?

Step 1(A): Enable access keyword 2FA in the Ezeelogin GUI as an admin privileged user. Log in to Ezeelogin GUI and navigate to Settings -> General -> Two Factor Authentication -> Enable Access Keyword.

Step 1(B): To set up access keyword 2FA for user authentication, log in to the Ezeelogin GUI as the user for whom access keyword is to be set up. Then, navigate to Account -> Password -> New Access Keyword -> Confirm Access Keyword and provide the authorization password of the user and click on save.

The access keyword should have a minimum of 10 characters and at least 4 unique characters. Example of phrases that can be used for access keywords would be a phrase like  "top dog bites".

Step 1(C): Once access keyword has been set up Ezeelogin GUI would ask for the characters from 3 different positions while authenticating. As shown below, enter the characters from the first, eight, and thirteenth positions within the phrase(top dog bites).

Step 1(D): Enter the character that would come in the first, eighth, and thirteenth positions within the phrase(top dog bites), which would be 't', '  '  and 's'. Note that, space is a character and would be counted. For example the character in the eighth position would be the space character, which means simply pressing the 'space' key. 

Step 1(E): The backend 2fa method will also be now using access keyword. In this case, enter the characters in the third, fourth, and sixth positions within the phrase(top dog bites) which would be 'p', space', and 'o'.

Step 1(F): If the admin privileged user has enabled force two factor authentication and the non-privilged user has not setup access keyword, then Ezeelogin GUI will prompt to set up the access Keyword when logging in as the non-privileged user.

2. How to reset Access Keyword 2FA through the GUI for a non-privileged user?

Step 2(A): Log in as the non-privileged gateway user to the Ezeelogin GUI, navigate to Account -> Password -> Enter the new access keyword -> Confirm Access Keyword and provide the authorization password of the user and click on save.

Step 2(B): If the non-privileged user is unable to log in to the Ezeelogin GUI, then only the admin user can reset the access keyword from the GUI. Log in as admin user and select the Reset Password option for that non-privileged user.

Step 2(C): Enable Clear Two-Factor Authentication Secret and after providing authorization password click on save

Step 2(D): Relogin as the non-privileged user and Ezeelogin GUI will prompt to set up new access keyword.

3. How to disable Access Keyword 2FA from GUI Globally?

Step 3(A): Navigate to Settings -> General -> Two Factor Authentication -> Disable Access keyword

Emergency CLI Method

Run the below commands to disable and clear access keyword 2fa. Replace username to disable access keyword for that user.

root@gateway ~]# php /usr/local/ezlogin/ez_queryrunner.php "update prefix_settings set value='N' where(name='enable_access_keyword')"

root@gateway ~]# php /usr/local/ezlogin/ez_queryrunner.php "update prefix_users set eak=NULL where username='ezadmin'"

This error happens when we enforce Two-Factor authentication without enabling any of the Two-Factor authentications. Run the following command to disable Force Two Factor Authentication.

root@gateway ~]# php /usr/local/ezlogin/ez_queryrunner.php "update prefix_settings SET value = 0 WHERE name = 'two_factor_auth'"

root@gateway ~]# php /usr/local/ezlogin/ez_queryrunner.php  "update prefix_usergroups SET force_tfa = 'N'"


Related Articles:

Enable/Disable two factor authentication in Ezeelogin

Error: No Two-factor Authentication enabled in GUI

Disable two factor authentication from backend