Multi-Factor Authentication

Cambium’s Single-Sign-On system, which is used by cnMaestro, our Learning Management System and the Cambium Community, supports Multi-Factor Authentication (MFA) for enhanced security.

What is Multi-Factor Authentication?

MFA means providing more than one type of “evidence” when logging in to your account. The usual types of evidence are:

  • something you know (for example, a password)
  • something you have (for example, a physical token or an app on a phone that generates time-based passcodes)
  • something you are (a biometric identifier, such as a fingerprint)

Cambium’s MFA system uses Time-based One-Time Password (TOTP). When you enable MFA on your account, you will configure an app to generate passcodes. In order to log in to your account, you will have to provide both your password and a code generated by this app.

What if I lose my passcode generator?

When you enable MFA, you will also be given 10 Recovery Codes. These can be used instead of a TOTP code to log in to your account. Each recovery code can only be used once.


Your recovery codes will only be displayed when you are enabling MFA - there is no way to view them later. You must download them or print them out during the MFA configuration process.

How do I enable MFA on my account?

Start at the MFA configuration page on the Cambium support site. If MFA is already enabled, you will have 2 options, Reconfigure MFA and Disable MFA. Otherwise you will just have the option Enable MFA.

When you select Enable MFA, you will be asked to re-enter your password, then you will be presented with a summary of the steps:


Recovery Codes

The first step is to securely save your account recovery codes. As the warning says, you will not get another opportunity to view these, and they are the only way to get into your account if you lose your authenticator device.

Configure OTP Authenticator

The next step is to configure your One-Time Password application. There are a number of applications that support the TOTP standard, including:

  • Google Authenticator
  • Microsoft Authenticator
  • Duo Mobile
  • LastPass Authenticator

Many TOTP applications allow you to add an account by scanning a QR code. If you aren’t able to scan the QR code, applications will normally have a way for you to provide the secret as text instead.

Confirm Settings

The last step is to confirm that your TOTP application is properly configured, by entering a code generated by the application.

Assuming all goes well, you will be redirected back to the MFA overview page, which should now confirm that MFA is enabled. You should also receive an email notification that MFA has been enabled on your account.

How do I log in when MFA is enabled?

When you log in to an account with MFA enabled, you will be presented with a new form where you can enter a code generated by your TOTP app.


If you are unable to generate an authentication code, you can click the use a recovery code link, which will take you to this form:


You will receive an email notification whenever you use a recovery code.

How do I disable MFA?

Start at the MFA overview page and click the Disable MFA button. You will be asked to re-enter your password and then MFA will be removed from your account. You will also receive an email notification confirming that MFA has been disabled.


Hi Simon thank you so much for this feature.


A post was split to a new topic: MFA for cnMaestro On-Premises

Enabled and working for me!

1 Like

Excellent. Cambium is a bit late to the party with such a crucial security feature, but still should be congratulated and thanked for doing the right thing here.

Hopefully this also means they’re thinking carefully about the overall security of CNMaestro to avoid incidents like the ubiquiti screw up.

Any plans to add support for Security Keys like YubuKey to increase security?

I would like to support those sorts of devices, and also Passkeys, via the WebAuthn API. I don’t know when it will happen, but it is definitely planned.