Two-Factor Authentication

Article Number:02042

Two-Factor Authentication checks user's ID by combining two of the following factors.

  • The fact that only that user knows
  • The thing that only that user possesses
  • That user's feature (fingerprint, face, etc.)

Two-Factor Authentication in Kintone uses the two factors ("The fact that only that user knows" and "The thing that only that user possesses").

The fact that only that user knows The thing that only that user possesses
Combination of login names and passwords Verification code generated in authentication app installed in mobile devices

By using two-factor authentication, you can prevent unauthorized access by third parties even when they identified the combination of the user's login name and password. It is because it requires the authentication that uses "the thing that only the user possesses" for a successful login.

Login flow when using two-factor authentication

Things You Should Know When Using Two-Factor Authentication

If you enable two-factor authentication, you will be prompted for your "login name and password" and "verification code" whenever you log in to Kintone.
An authentication app (such as Google Authenticator) will generate different "verification codes" on every request.
Therefore, you need to check your "verification code" on your mobile device every time you log in to.

Although it might seem troublesome, this procedure is a mechanism to make it difficult for third parties to identify your login information. Please understand that you follow this procedure for the secure access.

Setting Up the Mobile App

To configure logins with mobile apps, it is necessary to provide the "verification code".

For details, refer to the following page:


Certain functions become unavailable if the two-factor authentication is enabled by users.


REST API does not support the Two-Factor Authentication.
Therefore, users who enabled the Two-Factor Authentication cannot use password authentication in REST API.

They should use other authentication methods such as API token, session authentication, or OAuth authentication, or use another user for integrations whose Two-Factor Authentication setting is disabled.

For details on APIs, refer to cybozu developer network.

Guest Users

Guest users in Kintone cannot use the Two-Factor Authentication.