How to Enable Multi-Factor Authentication (MFA) in Zabbix

0

Introduction

In today’s world, where cyberattacks are becoming increasingly sophisticated, account security is more important than ever. One of the most effective ways to protect user accounts is through Multi-Factor Authentication (MFA). It adds an extra layer of protection on top of the standard username and password login.

Zabbix, a popular monitoring system, supports MFA using TOTP (Time-based One-Time Password). In this article, we’ll walk through the process of enabling MFA in Zabbix to help secure your monitoring environment.

Enabling Global MFA Settings

First, log in to Zabbix using a super admin account, since only super admins have access to global configuration settings.

  1. Navigate to Users → Authentication.
  2. Open the MFA settings tab.
  3. Enable Multi-factor authentication by checking the corresponding box.

This allows Zabbix to use multi-factor authentication for user logins.

Activate checkbox and add authentication method

Adding an Authentication Method

After enabling MFA, you need to add a method that Zabbix will use to process authentication requests.

Configuration:

  • Click Add under the Methods section.
  • In the dialog window, enter the following:
    • Type: TOTP (Time-based One-Time Password)
    • Name: Zabbix RPI — this name will be displayed in your authentication app (e.g., Google Authenticator, Authy)
    • Hash function: SHA-256
    • Code length: leave it as 6 — this is the standard code length for TOTP

Note: Once this method is added, users allowed to use MFA can set up their mobile authentication apps accordingly.

In this case there are nom users, so we need to add group for mfa and add users to this group.

Creating a User Group for MFA

Zabbix allows you to enforce MFA at the group level, rather than for each user individually. This makes it easy to manage which users are required to use two-factor authentication.

  1. Go to Users → User groups.
  2. Create a new group with the following parameters:
    • Group name: TOTP group
    • Users: add the user Admin (or any other user who should use MFA)
    • Multi-factor authentication: select the previously created method (Zabbix TOTP) if it’s not set as default

Now, all users in this group will be required to configure MFA in their profiles — for example, by scanning a QR code in their mobile app.

Important: MFA settings are applied per group, not per individual user. So, make sure users are added to the correct group.

Check result

To test the operation, you must log out of your account and log in again to initialize the authenticator token creation process.

My Google Google Authenticator got next record:

Conclusion

Enabling multi-factor authentication is one of the simplest and most effective ways to protect your Zabbix monitoring system from unauthorized access. With TOTP and group-based policies, the setup takes just a few minutes but significantly enhances your security posture.