diff --git a/docker/authelia/config/configuration.acl.yml b/docker/authelia/config/configuration.acl.yml
index 81073bc..e3ed02f 100644
--- a/docker/authelia/config/configuration.acl.yml
+++ b/docker/authelia/config/configuration.acl.yml
@@ -23,6 +23,16 @@ access_control:
   #   - domain: headscale.{{ env "TRAEFIK_DOMAIN" }}
   #     policy: bypass
 
+    # Admin services require two-factor authentication
+    - domain:
+        - "portainer.nixc.us"
+        - "login.nixc.us"
+        - "git.nixc.us"
+      subject:
+        - "group:admins"
+      policy: two_factor
+    
+    # General admin access (less sensitive services)
     - domain: "*.nixc.us"
       subject:
         - "group:admins"
@@ -90,12 +100,12 @@ access_control:
       subject:
         - "group:stash_admin"
       policy: one_factor
-    # Graylog access
+    # Graylog access (sensitive logs require two-factor)
     - domain: 
         - "log.nixc.us"
       subject:
         - "group:graylog"
-      policy: one_factor
+      policy: two_factor
     # whisper access
     - domain: 
         - "whisper.nixc.us"