Multi-Factor Authentication (MFA)

To enhance account security and align with modern security standards, Multi-Factor Authentication (MFA) has been introduced in the INDIGO IAM service.

MFA allows users to add an additional layer of security by registering a second authentication factor. Once enabled, a single credential will no longer suffice for login access.

The primary goals of MFA are:

Strengthening security: Reducing the risk of unauthorized access, even if login credentials are compromised
Compliance: Meeting client security policies that mandate the use of multi-factor authentication

To enable MFA, the mfa profile must be configured.

Info

MFA support is experimental. It is applicable to login with username and password, login with SAML/OIDC external providers, login with X.509 certificates.

How to enable MFA

Authenticated users can enable MFA through a button in their homepage.

Steps to enable MFA:

Click the Enable MFA button

Then, click on Enable.
Confirm activation

A dialogue box will appear, prompting the user to enter a Time-based One-Time Password (TOTP) generated by an authenticator (e.g., Ente Auth app).
Submit the TOTP

Enter the TOTP into the field provided and click Submit. If the code is correct, MFA will be successfully enabled.
Login with MFA

Once MFA is enabled, each login will require:
- A primary authentication method (e.g., username and password, SSO or X.509 certificate)
- A second factor (the TOTP) entered on a follow-up page

How to disable MFA

Users can disable MFA by following these steps:

Click on Disable MFA button

Then, click on Disable.
Confirm deactivation

A dialogue box will appear, prompting the user to enter the TOTP.
Submit the TOTP

Enter the TOTP into the field provided and click Submit. If the code is correct, MFA will be successfully disabled.
From this point forward, the user will no longer need to provide a second authentication factor during login.

In case of problems with the authenticator

If users experience issues with their authenticator app, they can request IAM administrators to disable MFA on their behalf.

Administrators should go to the user’s homepage and click the Disable MFA button.

Admin disables MFA for a user

A confirmation dialogue will appear. Click Ok to finalize the process.

Confirm MFA deactivation

Once completed, MFA will be disabled for the user, allowing them to log in without the second authentication factor.

Last modified August 5, 2025: Update MFA section (#159) (a064c25)