Setting up two-factor authentication in 1C-Bitrix

Our company is engaged in the development, support and maintenance of Bitrix and Bitrix24 solutions of any complexity. From simple one-page sites to complex online stores, CRM systems with 1C and telephony integration. The experience of developers is confirmed by certificates from the vendor.
8+Years of work900+Completed projects100+In house employees19+Partners
Offered services
Showing 1 of 1 servicesAll 1626 services
Setting up two-factor authentication in 1C-Bitrix
Simple
~1 business day
FAQ
Our competencies:
Development stages
Latest works
  • image_website-b2b-advance_0.png
    B2B ADVANCE company website development
    1175
  • image_bitrix-bitrix-24-1c_fixper_448_0.png
    Website development for FIXPER company
    811
  • image_bitrix-bitrix-24-1c_development_of_an_online_appointment_booking_widget_for_a_medical_center_594_0.webp
    Development based on Bitrix, Bitrix24, 1C for the company Development of an Online Appointment Booking Widget for a Medical Center
    564
  • image_bitrix-bitrix-24-1c_mirsanbel_458_0.webp
    Development based on 1C Enterprise for MIRSANBEL
    747
  • image_crm_dolbimby_434_0.webp
    Website development on CRM Bitrix24 for DOLBIMBY
    655
  • image_crm_technotorgcomplex_453_0.webp
    Development based on Bitrix24 for the company TECHNOTORGKOMPLEKS
    976
Show more works

Two-Factor Authentication Setup in 1C-Bitrix

Two-factor authentication (2FA) is natively supported in Bitrix via OTP (one-time passwords) using the TOTP standard — compatible with Google Authenticator, Authy, and Microsoft Authenticator. Setup takes less than an hour but is critically important for administrator accounts.

Built-in OTP Authentication

The 2FA module is part of the main module. Enable it under Settings → Main Module → Two-Factor Authorization.

Parameters:

  • Mandatory use — for selected user groups. Always enable it for the "Administrators" group
  • Code validity period — TOTP standard: 30 seconds. Do not change unless necessary
  • Code length — 6 or 8 digits

Once enabled, the user is shown a QR code on their next login to set up an authenticator app. The secret is stored in b_user.OTP_SECRET in encrypted form.

Configuration for Specific Groups

If you need to apply 2FA only to certain users (e.g., staff but not customers):

  1. Settings → User Groups → [target group] → Two-Factor Authorization: Required
  2. Or programmatically via the OnAfterUserAuthorize event — check the group and redirect to the OTP setup page

SMS Authentication

Bitrix does not have a built-in SMS gateway for 2FA, but this can be addressed through the OnOTPCheck event handler — any SMS provider can be integrated (e.g., SMS.ru, SMSC.ru). Implementation: on first login, a code is generated, sent via SMS, and entered by the user.

Alternatively, use Marketplace modules for SMS 2FA if you prefer not to write a custom handler.

Real-World Case

An online store had an administrator account compromised through brute-force (the password Admin2023 did not fall under the minimum length restrictions of an older policy). The attacker modified payment requisites in the checkout settings. Post-incident response: mandatory 2FA for the "Administrators" and "Managers" groups, and an audit of all existing passwords via b_user.PASSWORD to identify weak hashes (MD5 without salt — legacy accounts).

Backup Codes

The built-in OTP does not generate backup codes automatically — this needs to be implemented separately, or a 2FA reset procedure via an administrator must be documented. Without access to the phone and without backup codes, a user permanently loses access to their account.

Delivery Time

Enabling and configuring built-in OTP for all groups — 2–3 hours. With custom SMS integration — 1 business day.

1C Bitrix presentation1C Bitrix24 presentation1C Enterprise presentation