Nexterm supports two second-factor methods that users can enable on their accounts: time-based one-time passwords (TOTP) generated by an authenticator app, and passkeys using the WebAuthn standard. Both methods work alongside any primary authentication method — local password, OIDC, or LDAP — and are configured individually per account.Documentation Index
Fetch the complete documentation index at: https://mintlify.com/gnmyt/Nexterm/llms.txt
Use this file to discover all available pages before exploring further.
TOTP (authenticator app)
TOTP generates a six-digit code that refreshes every 30 seconds. Any standard TOTP app works, including Google Authenticator, Authy, Microsoft Authenticator, and 1Password.Setting up TOTP
Open account settings
Click your username or avatar in the top-right corner of Nexterm and open Account Settings.
Enable two-factor authentication
Find the Two-Factor Authentication section and click Set up authenticator app.
Scan the QR code
Open your authenticator app and scan the QR code shown on screen. If your app does not support QR scanning, use the manual entry key displayed below the QR code.
Passkeys (WebAuthn)
Passkeys use public-key cryptography to authenticate you using a credential stored on your device — a fingerprint sensor, Face ID, Windows Hello, or a hardware security key such as a YubiKey. No password or code is typed; your device handles the cryptographic challenge directly. Nexterm uses the@simplewebauthn/server library and enforces standard WebAuthn security requirements including origin binding and replay-attack prevention via a challenge store with a five-minute expiry.
Registering a passkey
You must already be logged in to register a passkey.Complete the device prompt
Your browser will prompt you to authenticate using your platform authenticator (fingerprint, Face ID, PIN, or security key). Follow the on-screen steps from your OS or browser.
Managing passkeys
From Account Settings → Passkeys you can:- View all registered passkeys with their names and registration dates.
- Rename a passkey to keep your list organised.
- Delete a passkey you no longer want to use.
Recovery considerations
Nexterm does not currently generate backup codes. If you lose access to your TOTP device or all registered passkeys, you will need an administrator to reset your account’s second factor.Administrators can reset two-factor authentication for other users from Settings → Users. As an admin, make sure you have a recovery path for your own account — for example, by registering a passkey on a second device.
Admin considerations
Two-factor authentication is opt-in per account. There is currently no setting to enforce 2FA globally across all users. Each user must enable it from their own account settings. When users authenticate with a passkey at the login screen, the passkey challenge and credential lookup are handled server-side against the credential stored in Nexterm’s database. The credential is tied to therpID (the hostname of your Nexterm instance), so passkeys registered on one domain cannot be used if you move Nexterm to a different hostname.