{"slug":"add-multifactor-authentication-to-any-legacy-service","title":"Add multifactor authentication to any legacy service","tags":["tailscale","auth"],"agent_summary":"Last validated: Jan 5, 2026","trigger_phrases":[],"runnable":false,"markdown":"\r\n# Add multifactor authentication to any legacy service\r\n\r\nLast validated: Jan 5, 2026\r\n\r\nThe larger your company, the more likely you have \"legacy\" servers—the\r\nones that work, but your security team complains about because they refuse\r\nto cooperate with your newest security features, especially multifactor\r\nauthentication (MFA).\r\n\r\nTailscale integrates with your [existing single-sign on (SSO)\\\\\r\nprovider](https://tailscale.com/docs/integrations/identity) for authentication (including multifactor\r\nauthentication). Then we enforce connection policy and authorization control\r\nas part of the network itself. If someone isn't allowed to talk to a server,\r\nthe server completely disappears from their list of devices on the network, making it\r\ninaccessible and immune to password-guessing or phishing attacks.\r\n\r\nTailscale lets you apply MFA to any and all legacy servers\r\nincluding:\r\n\r\n- Windows file shares\r\n- Remote Desktop (RDP, Windows Terminal Services)\r\n- Citrix\r\n- SSH\r\n- Database servers including Oracle, MS SQL, MySQL, and PostgreSQL\r\n- Custom client-server apps (even if they are not web based)\r\n- Any web app\r\n\r\nNo app-level integration or reconfiguration is required, because security is\r\nbuilt into the network itself. If you configure your network to require\r\nTailscale, every one of your internal services will be subject to\r\nmultifactor authentication.\r\n\r\n![Project Logo](https://cdn.brandfetch.io/tailscale.com/fallback/lettermark/theme/dark/h/256/w/256/icon?c=1bfwsmEH20zzEfSNTed)\r\n\r\nAsk AI\r\n\r\nreCAPTCHA\r\n\r\nRecaptcha requires verification.\r\n\r\nprotected by **reCAPTCHA**\r\n","html":"<h1>Add multifactor authentication to any legacy service</h1>\n<p>Last validated: Jan 5, 2026</p>\n<p>The larger your company, the more likely you have \"legacy\" servers—the\r\nones that work, but your security team complains about because they refuse\r\nto cooperate with your newest security features, especially multifactor\r\nauthentication (MFA).</p>\n<p>Tailscale integrates with your <a href=\"https://tailscale.com/docs/integrations/identity\">existing single-sign on (SSO)\\\r\nprovider</a> for authentication (including multifactor\r\nauthentication). Then we enforce connection policy and authorization control\r\nas part of the network itself. If someone isn't allowed to talk to a server,\r\nthe server completely disappears from their list of devices on the network, making it\r\ninaccessible and immune to password-guessing or phishing attacks.</p>\n<p>Tailscale lets you apply MFA to any and all legacy servers\r\nincluding:</p>\n<ul>\n<li>Windows file shares</li>\n<li>Remote Desktop (RDP, Windows Terminal Services)</li>\n<li>Citrix</li>\n<li>SSH</li>\n<li>Database servers including Oracle, MS SQL, MySQL, and PostgreSQL</li>\n<li>Custom client-server apps (even if they are not web based)</li>\n<li>Any web app</li>\n</ul>\n<p>No app-level integration or reconfiguration is required, because security is\r\nbuilt into the network itself. If you configure your network to require\r\nTailscale, every one of your internal services will be subject to\r\nmultifactor authentication.</p>\n<p><img src=\"https://cdn.brandfetch.io/tailscale.com/fallback/lettermark/theme/dark/h/256/w/256/icon?c=1bfwsmEH20zzEfSNTed\" alt=\"Project Logo\"></p>\n<p>Ask AI</p>\n<p>reCAPTCHA</p>\n<p>Recaptcha requires verification.</p>\n<p>protected by <strong>reCAPTCHA</strong></p>\n"}