I followed the documentation below to enable MFA for a specific tenant: https://abp.io/docs/commercial/8.1/modules/identity/two-factor-authentication
However, even after enabling all the options mentioned in the documentation, the authenticator options are still not visible for the tenant user.
22 Answer(s)
-
0
- Solution To make authenticator options (e.g., Authenticator App/Time-based OTP) visible and usable for a tenant user in an Angular, tiered ABP 8.2.1 solution, verify these points end-to-end:
Ensure the correct module/package
- Authenticator App-based 2FA UI and flows are provided by the commercial Account/Identity modules. Make sure your solution includes and runs the commercial modules (Account/Identity Pro) on the Auth Server and API Host. Without the Pro UI, the “authenticator app” option will not appear.
Enable Two-Factor at the tenant level
- Log in as the tenant admin.
- Go to Administration > Identity > Settings (Security/Two-Factor).
- Set:
- Enable two-factor authentication: On
- Enable authenticator: On
- (Optional) Enable email/phone if you want those too.
- Save tenant settings.
Confirm user prerequisites so “supportTwoFactor” becomes true
- A user must have at least one valid 2FA provider enrolled to see and use it.
- For Authenticator App:
- The user must register an authenticator in their My Account > Security > Two-Factor page (the page shows QR code/secret to pair in Google Authenticator/Microsoft Authenticator, etc.). After pairing and confirming a TOTP code, ABP will mark authenticator as available.
- For Phone/Email 2FA:
- Phone/Email must be confirmed for those providers to count as available.
- If twoFactorEnabled is true but supportTwoFactor is false, the user still won’t see or be able to use 2FA providers until a provider is actually configured for the user.
Angular app must talk to the correct tenant
- Make sure Angular resolves and sends the tenant correctly (especially in tiered setup):
- If you use subdomain tenant resolution, configure baseUrl and oAuthConfig issuer/redirectUri per-tenant domain or pass __tenant explicitly on login.
- The Angular app automatically adds the __tenant header from application-configuration; ensure the selected tenant is the one in which you enabled 2FA.
- If the login is performed against the Host or a different tenant than the user’s, the tenant-level 2FA settings may not apply and options won’t show.
- Make sure Angular resolves and sends the tenant correctly (especially in tiered setup):
Auth Server client/cors/redirect settings
- Ensure your Auth Server’s allowed redirect URIs and CORS entries contain your Angular app’s domain(s).
- If you use wildcard domains, configure wildcard domain support properly on OpenIddict and list patterns or explicit domains for RedirectAllowedUrls/CorsOrigins in Host.
Where to see and manage authenticator options in Angular UI
- In the commercial Angular UI, authenticator management is available under the user’s “My Account” (Account Public module) > Security > Two-Factor.
- If you don’t see the Security/Two-Factor page or the Authenticator section there:
- Verify the Account Public module is enabled and reachable from your Angular app.
- Verify the user is in the correct tenant and the tenant 2FA features are enabled as above.
Common pitfalls that hide Authenticator options
- Using Host context while the user belongs to a tenant (or vice versa).
- Not having the commercial modules that include the 2FA UI.
- Two-Factor enabled at tenant level, but user has not enrolled an authenticator (thus supportTwoFactor remains false).
- Email/Phone not confirmed when relying on those providers.
- Angular not sending the __tenant header/parameter due to misconfigured baseUrl or not using domain-based tenant resolve.
If you still can’t see the Authenticator option after the above:
- Log in as the tenant user and open the “My Account” Two-Factor page directly and try to enroll the authenticator (scan QR and verify code). Once completed, the Authenticator option will appear for the user during MFA challenges.
- Sources
- https://abp.io/docs/commercial/8.1/modules/identity/two-factor-authentication
- https://abp.io/docs/latest/framework/ui/angular/multi-tenancy
This response was generated by AI. If it didn’t solve your problem, feel free to post a new answer — our support team will jump in to help you soon.
-
0
Make sure your solution includes and runs the commercial modules (Account/Identity Pro) on the Auth Server and API Host how can i check whether the above modules are included or not in my project/auth server
-
0
- Solution Use all of the following checks to verify that the commercial Identity/Account Pro modules are included and running in your solution (Auth Server/API Host) and Angular UI.
Backend (Auth Server/API Host)
- Check module dependencies in your module classes
- In AuthServerModule and HttpApiHostModule (and ApplicationModule if used), look for DependsOn attributes that reference the Pro modules:
[DependsOn( typeof(AbpIdentityApplicationModule), // basic typeof(AbpIdentityHttpApiModule), typeof(AbpAccountApplicationModule), // basic typeof(AbpAccountHttpApiModule), // Pro modules -> these must exist for commercial features like authenticator UI typeof(Volo.Abp.Identity.Pro.AbpIdentityProApplicationModule), typeof(Volo.Abp.Identity.Pro.AbpIdentityProHttpApiModule), typeof(Volo.Abp.Account.Pro.AbpAccountProPublicHttpApiModule), typeof(Volo.Abp.Account.Pro.AbpAccountProApplicationModule) )] public class AuthServerModule : AbpModule { }Notes:
- Exact class names may vary slightly by version, but namespaces will include Volo.Abp.Identity.Pro and Volo.Abp.Account.Pro for Pro packages.
- If you only see basic modules (no .Pro), you are not running the commercial features.
Check NuGet package references
- Run in each executable backend project (AuthServer, HttpApiHost):
- dotnet list package | findstr /i "Volo.Abp.Identity.Pro Volo.Abp.Account.Pro"
- Or open the .csproj and verify PackageReference items like:
- <PackageReference Include="Volo.Abp.Identity.Pro" Version="8.2.*" />
- <PackageReference Include="Volo.Abp.Account.Pro.Public.Web" Version="8.2.*" /> or related Pro packages.
- Absence of these packages indicates the Pro modules are not included.
- Run in each executable backend project (AuthServer, HttpApiHost):
Verify module initialization at runtime
- Enable info logging and check startup logs; ABP logs loaded modules on startup. Look for entries containing Volo.Abp.Identity.Pro and Volo.Abp.Account.Pro.
- Alternatively, add a simple IModuleManager dump in a development endpoint to list loaded module names and confirm the Pro modules are present.
Licensing check (development)
- Ensure you are logged in with abp login and your private NuGet feed is configured so the Pro packages restore. If restore fell back to basic packages, you will miss Pro features.
Angular frontend
Check NPM package dependencies
- In angular/package.json, verify commercial UI packages used by authenticator/2FA flows:
- @volo/abp.commercial.ng.ui
- @volo/abp.ng.account.public (or @volosoft/abp.ng.account.public, depending on version)
- @volo/abp.ng.identity.pro (if used)
- LeptonX packages are unrelated to 2FA availability but confirm you are on commercial UI.
- Install list:
- npm ls @volo/abp.commercial.ng.ui @volo/abp.ng.account.public @volo/abp.ng.identity.pro
- In angular/package.json, verify commercial UI packages used by authenticator/2FA flows:
Routing/components existence
- In your Angular app, ensure Account Public module routes exist (e.g., /account/manage/security/two-factor). In code, check that AccountPublicModule (from @volo/abp.ng.account.public) is imported in the root or a feature module.
Functional confirmation
- Tenant-level settings UI
- Log in as the tenant admin and open Administration > Identity > Settings. If you see the extended 2FA settings (including Authenticator), it strongly indicates Identity Pro is active on that tenant.
- My Account > Security > Two-Factor page
- As a user, navigate to My Account > Security > Two-Factor and check for Authenticator enrollment (QR code). Presence confirms Account Public Pro features are active end-to-end.
If you find only basic modules
- Add the missing Pro packages to the Auth Server/API Host .csproj files and update the module DependsOn to include the Pro modules.
- Restore packages using your commercial feed, rebuild, and redeploy.
- Ensure Angular has the @volo commercial packages, re-build, and redeploy.
- Sources
- https://abp.io/docs/latest/framework/architecture/modularity/basics
- https://abp.io/docs/commercial/8.1/modules/identity/two-factor-authentication
- https://abp.io/docs/latest/framework/ui/angular/multi-tenancy
This response was generated by AI. If it didn’t solve your problem, feel free to post a new answer — our support team will jump in to help you soon.
-
0
the above packages were not found
-
0
hi
Can you share your steps and screenshots?
I will try that in a new project.
Thanks.
-
0
I logged in as a host admin and navigated to the** Administration > Saas > Saas Tenants** and selected the tenant , from the action items i have selected **Feature ** option
under identity tab i have made Two factor for this tenant as optional and saved
After that i have logged in as a tenant admin and navigated to Administration > Settings and selected Account > Two Factor tab and made Two Factor as optional and checked Allow users to change their Two Factor check box and Remember this browser check box.
As a tenant admin i navigated to the Administration > User and selected a user and confirmed Email and Phone number
Later I logged in as a tenant user to whom email and phone number is confirmed. I navigated to My Account > Two Factor Authentication Tab and checked Two factor authentication enabled check box
After doing all the above steps not able to see the authenticator app options/Info
-
0
hi
I will ask our angular team.
Thanks.
-
0
Hello,
Thank you for explaining the issue with details. However, I could not produce the same problem on my side. Here is how I have followed these steps:
- I created an admin user and confirmed the e-mail and phone number
- Then, I created a tenant with using the email of this admin user
- I have enabled the two factor authentication for the admin user using this dropdown item in the screenshot
- Then, I login the account of the tenant using the admin user and I can see the authenticator details as in this screenshot
If you think that I have misunderstood any part, I could assist you further based on your feedback. Thank you for your cooperation.
-
0
In My Account section I don't see authenticator option. I am using ABP version 8.2.1
-
0
Thank you for specifying the version again. I had tried with this version particularly. However, I am unable to produce the problem. Have I followed your steps right? May I also ask whether you have made any customization that may affect this part?
-
0
Create a tenant under that create an user and make two factor as an optional for that tenant form host. Later login with the newly created tenant user and enable the two factor
**Note: ** We have done customization to the AbpUsers Table where we are not storing the TenantId in that table. We are maintaining these in another table . Does this any how impact Two Factor authentication setting
-
0
This customization should not affect this part unless you see a warning or error in the console.
If you have enabled the 2FA through this modal for the user
you should be able to see the authenticator app settings both for the tenant and the host user. -
0
Hi, I’m trying to create a new microservice template to test MFA using ABP version 8.2.1, and I’m using the following command:
abp new MyMicroserviceApp -t microservice-pro -u angular --version 8.2.1 -dbms MySQLBut the project is still being created with the latest version, and it's also defaulting to SQL Server instead of MySQL.
-
0
Could you also try the
abp-oldcommand to create a project with a specific version? You can check this documentation for details. -
0
[sumeyye.kurtulus] said: Could you also try the
abp-oldcommand to create a project with a specific version? You can check this documentation for details.I checked the documentation and installed the older CLI, then created the project using version 8.2.1. Even though I specified -dbms MySql, the project was still created with SQL Server as the database provider.
I also installed SQL Server 2014 on my system and tried running the application. When I executed the DbMigrator, it started migrating, but while inserting data into the Identity tables, it threw an error.
The below is the exception from DbMigrator log file
-
0
I also installed SQL Server 2014
Incorrect syntax near the 'WITH' keyword.
If your SQL Server version is lower, you can call the
TranslateParameterizedCollectionsToConstantsSee https://abp.io/support/questions/8969/Bug-Incorrect-syntax-near-the-%27WITH%27-keyword#answer-3a18a703-1645-932a-5562-324eb131d644
Thanks.
-
0
[maliming] said:
I also installed SQL Server 2014
Incorrect syntax near the 'WITH' keyword.
If your SQL Server version is lower, you can call the
TranslateParameterizedCollectionsToConstantsSee https://abp.io/support/questions/8969/Bug-Incorrect-syntax-near-the-%27WITH%27-keyword#answer-3a18a703-1645-932a-5562-324eb131d644
Thanks.
I did not find
TranslateParameterizedCollectionsToConstants. We are using abp framework 8.2.1 -
0
hi
Can you change it like:
Or you can zip your project(
abp clean) and share it with liming.ma@volosoft.comThanks.
-
0
[maliming] said: hi
Can you change it like:
Or you can zip your project(
abp clean) and share it with liming.ma@volosoft.comThanks.
I have shared the project zip file and let me know if you require any further info
-
0
hi
I started the MFA project, and I can see the
Authenticator apppage of a tenant(proxycare) .
-
0
[maliming] said: hi
I started the MFA project, and I can see the
Authenticator apppage of a tenant(proxycare) .- I am unable to run the app that i shared, what are the steps that you followed to run the app.
- Our project was previously on version 7.2.2, and we migrated it to 8.2.1. Could this migration be causing the issue?
- We are currently using MSG91 as our service provider for email and SMS. If we want to implement OTP-based MFA, what changes do we need to apply?
-
0
hi
I am unable to run the app that i shared, what are the steps that you followed to run the app.
I use the
run-tye.ps1command to run the backend, andyarn startfor Angular.
Our project was previously on version 7.2.2, and we migrated it to 8.2.1. Could this migration be causing the issue?
Maybe. Can you share your project?
We are currently using MSG91 as our service provider for email and SMS. If we want to implement OTP-based MFA, what changes do we need to apply?
Only enabling 2FA is enough.
Thanks.
