Applying 2FA for Decap CMS Users


I’ve been using Netlify for a couple of months now to create websites both personal and for clients. I’m currently stumped with a requirement where users who are given access to the CMS need to authenticate themselves using two-factor authentication first before being able to log-in normally. I’m using Gatsby and Decap CMS.

According to what I’ve been able to look up online, 2FA can be applied to Netlify user accounts for free, and enforced 2FA can be done on teams after upgrading the account tier. However, this only affects logging into the Netlify dashboard. I am specifically looking for 2FA to be applied to Decap CMS users (which I understand to actually be Netlify Identity users).

Would anyone have an idea on this or could point me to the right direction?


@rtnario As with what you’ve found yourself, I can see it’s possible to apply 2FA to Netlify Accounts, but it doesn’t seem to be a feature available for use with Netlify Identity users.

It’s discussed in this thread:

This GitHub issue never got a response:

Thanks for the response @nathanmartin. I also saw the same thread although its need is slightly different since it needed SMS verification. I tested 2FA for Netlify user accounts myself and it worked beautifully. I was wondering if that exact functionality could also be reused for Netlify Identity somehow, or any solution like it.

Hello @hrishikesh, is it possible for you to elaborate on the solution you were proposing in the old thread (the one that doesn’t necessarily rely on Netlify)?

Excellent, I was going to suggest pinging hrishikesh to elaborate on that final comment or advise if there is anything relevant that has changed in the last two years.

1 Like

I won’t recommend spending too long to solve this issue. As an inside note (which would be public someday), we’re moving to deprecate Identity. I believe it would still continue to work for existing users, but you can expect us to not provide any support for that feature.

As for how to do what I suggested there, you can use Identity-triggered functions: Functions and Identity | Netlify Docs (the login event). Within the Function, you can validate any 2FA requests and decide whether or not to allow the login.