/
How to get access to PBX with 2FA for root admins

How to get access to PBX with 2FA for root admins

Owned by Ksenia Babych
Last updated: Jun 20, 2025

This guide for root admins explains how to get and manage OTP codes for secure PBX access using 2FA.

Created: June 2025

Updated: June 2025

Permalink: https://wildix.atlassian.net/wiki/x/Y4BQTQ

Introduction

Starting from WMS versions 6.10.20250609.6 and 7.02.20250609.3, mandatory 2FA is introduced for root admins. This security improvement is designed to better protect admin accounts, reduce the risk of credential-based attacks, and strengthen the overall security of PBX management.

Important: Basic Auth is no longer supported by default for root admins. To enable it, add the following parameter to env.custom.ini: ALLOW_BASIC_AUTH=true.

This parameter does not affect or interact with 2FA, it is only related to authentication and authorization mechanism for API requests to the PBX.,

Default login flow

  1. Access WMP (from SFPC, or directly)

  2. Navigate to Customers

  3. Select the company associated with the PBX you wish to access → click Options button (Three dots) and select Pbxes

Admin 2FA-PBXes.png

  1. Click on the lock icon located next to the specific PBX

Admin 2FA-OTP.jpg

  1. Copy the OTP and paste it to the login window

Admin 2FA-Login window.png

SSH access for restricted PBX

In cases where WMP cannot reach the PBX (e.g., firewall restrictions), use the following SSH method to retrieve the OTP:

  1. Connect to the PBX via SSH

  2. Log in as root

  3. Execute the following command:

    /usr/sbin/get_admin_otp

  4. Copy the OTP and paste it to the login window

QR code flow

After the initial login, additional steps can be performed to simplify future access and allow end customer admins to retrieve OTPs independently when needed.

Scan QR Code in WMS

  1. Go to WMS SettingsPBXSecurity

  2. Under Admin Two-Factor Authentication, click Show QR Code

Admin 2FA-Show QR code.png

  1. Enter the admin password and click Verify & Continue

Admin 2FA-Admin password.png

  1. Display the QR code and scan it using an authentication app (such as Google Authenticator or similar) on a mobile device

Admin 2FA-Scan QR code.png

Store OTP in a password manager

You can add a record with OTP to Keeper or any other similar password manager. Below is an example of how to add it to Keeper:

  1. Open Keeper Vault via Desktop or mobile app

  2. Select or create a record for the corresponding PBX

  3. Click Edit record and select Add Two-Factor Code

  4. Scan the QR code displayed in WMS (PBX → Security)

FAQ

Q1. When scanning the QR code in the authenticator app, will it populate the PBX name/DNS or just "admin"?

The QR code will create a record like PBX: <pbx name> and is linked to the admin user only. For regular users enabling 2FA via the old Collaboration interface, the record will display as PBX: <user name>.

Q2. Can multiple admins scan the same QR code in their authentication apps?

Yes, multiple admins can scan the QR code in WMS Settings -> PBXSecurity and reuse it. Important: If anyone regenerates the QR code, all previously scanned codes will be invalidated.

Q3. Can OTP secrets be used with shared tools, e.g. Keeper for multiple admin?

Yes. You can embed the OTP secret into any authentication provider that supports the unified OTP link standard. For example, Keeper allows adding secrets manually or by scanning a QR code, enabling secure shared access with pre-filled credentials and OTP support.

Q4. Will the new WMS release override the previously added ALLOW_BASIC_AUTH=true parameter in env.custom.ini file?

No, if there is ALLOW_BASIC_AUTH=true in env.custom.ini, basic auth is allowed for admin.