NetNXT Logo

How to Enforce MFA for SSH and RDP Access Using Twingate?

January 19, 2026
2 min read
ByNetNXT

Overview

Legacy protocols like SSH and RDP often rely on static keys or passwords, making them vulnerable. Twingate allows you to enforce Modern MFA (Biometrics/TOTP) before the user can even initiate the SSH connection.

Step 1: Configure the Policy

  1. Navigate to Policies > Resource Policies.

  2. Create a Policy: Critical-Infrastructure-MFA.

  3. Authentication Requirements:

    • 2FA: Set to "Every Connection" or "Every 1 Hour".

  4. Assign Resources: Add your SSH Servers or RDP Jump Hosts to this policy.

Step 2: The Login Flow

  1. User Action: The user opens their terminal and types ssh admin@10.0.1.5.

  2. Twingate Intercept: The Twingate Client detects access to a protected resource.

  3. Notification: The user receives a system notification: "Authentication Required for 10.0.1.5".

  4. MFA Prompt: A browser window opens (or the Twingate mobile app prompts) for FaceID/TouchID or TOTP.

  5. Access Granted: Once passed, the SSH packet is allowed to flow.

Note: This works without installing any PAM modules or agents on the SSH server itself.

FAQ

1) How does Twingate enforce MFA for SSH and RDP sessions?

Twingate intercepts access requests to protected resources and requires multi-factor authentication before allowing SSH or RDP traffic to reach the destination.

2) Do you need to install agents on SSH or RDP servers for MFA?

No, Twingate enforces MFA at the network access layer, so no PAM modules, server agents, or configuration changes are required on target systems.

3) Can MFA be required for every SSH connection in Twingate?

Yes, policies can be configured to require MFA on every connection or at defined intervals such as hourly to balance security and usability.

4) What authentication methods are supported for Twingate MFA?

Twingate supports modern authentication including biometrics, FaceID, TouchID, and TOTP-based multi-factor authentication for secure access.

5) What happens if a user fails MFA when accessing SSH or RDP?

If MFA verification fails, Twingate blocks the connection entirely, preventing the user from establishing any SSH or RDP session to the protected resource.

Was this article helpful?