| copyright | lastupdated | keywords | subcollection | ||
|---|---|---|---|---|---|
|
2023-04-21 |
MFA, multifactor authentication, two-factor authentication, U2F, FIDO U2F, security key |
account |
{{site.data.keyword.attribute-definition-list}}
{: #types}
Multifactor authentication (MFA) adds an extra layer of security to your account by requiring all users to authenticate by using another authentication factor beyond an ID and password. MFA is also commonly known as two-factor authentication (2FA). {: shortdesc}
The following two types of MFA options might be enabled for your account:
ID-based MFA : ID-based MFA is the preferred method for requiring MFA in an account. This type of MFA is associated with each users' ID and authenticates them across all accounts that they are a member of, so they authenticate only one time. This type of MFA overrides the legacy account-based MFA options. : ID-based MFA applies to all resources in any type of account. When ID-based MFA is enabled, a user is prompted to provide a unique identifier (such as a username or email) and a one-time password (OTP) generated by an authenticator app or a hardware token. After the correct OTP is entered, access is granted to the requested resource. This type of MFA is much more secure than account-based MFA because it is not limited to classic infrastructure resources and applies to all resources within the account. It also reduces the risk of a breach because of a weak password or the use of the same password across multiple accounts.
Account-based MFA : [Classic infrastructure]{: tag-classic-inf} Account-based MFA applies only to classic infrastructure and not to other resources in your account. Unlike with ID-based MFA, legacy MFA options, such as security questions, are enforced only on the specific account where the MFA is enabled. If you have a different legacy MFA option set up for each account that you are a member of, you must authenticate in a different way each time that you switch accounts.
Legacy account-based MFA was available to accounts with classic infrastructure prior to the release of ID-based MFA. This legacy offering continues to work for accounts with classic infrastructure and requires the user to provide a secondary authentication input when logging in or switching to accounts with classic infrastructure. Non-classic resources are not secured by this legacy offering. ID-based MFA is for customers that want to implement MFA to secure the full range of IBM Cloud offerings. {: important}
{: #id-based}
As an Administrator on the IAM Identity Service or All IAM Account Management services, you can enable ID-based MFA for the account or a specific user, and it applies to all account resources.
- You can update the MFA setting for your account by going to Manage > Access (IAM) > Settings > Authentication in the {{site.data.keyword.Bluemix}} console. For more information, see Enabling MFA for an account.
- You can update the MFA setting for a specific user in your account by going to Manage > Access (IAM) > Users and clicking the user whose MFA you want to update. If you are a new user, use the ID-based MFA option to ensure that your login is secure. For more information, see Enabling MFA for an individual user.
{: #mfa-none}
All users log in by using only a standard ID and password, which offers the lowest level of security. To increase the level of security for this option, you can disable logging in to the CLI with only a username and password. This way, you require an API key to log in to the CLI or users can log in with --sso.
Starting 3 May 2023, by default CLI logins with only a username and password are disabled for all users that have MFA set to None. This applies to users in new and existing accounts. Administrators can opt-out before that date in the {{site.data.keyword.cloud_notm}} console. For more information, see Disabling CLI logins with only a password {: important}
{: #mfa-options-ibmid}
Users authenticate by using an IBMid, password, and time-based one-time passcode (TOTP). You can enable this option for all users or only nonfederated users.
{: #mfa-options-all-users}
Users authenticate by using one of the following MFA factors. This option applies to all users, including users who are using an IBMid or an external identity provider (IdP), like AppID.
- Email-based MFA: Users authenticate by using a security passcode, which is sent by email.
- TOTP MFA: Users authenticate by using a TOTP.
- U2F MFA: Users authenticate by using a physical hardware-based security key. Based on the FIDO U2F standard, this factor offers the highest level of security.
{: #account-based}
[Classic infrastructure]{: tag-classic-inf}
An account administrator can enable any of the following legacy MFA options to be configured and used by a user in the account. Account-based MFA options are available only with classic infrastructure accounts and only protect classic infrastructure resources. This type of MFA is tied to the account. If an administrator enables a different legacy MFA option for each account that a user is a member of, the user is prompted to authenticate a different way each time that they switch accounts.
If an account requires any ID-based MFA, that factor overrides any legacy account-based MFA options that are enabled and set up in a user's account. Therefore, even if a user has other MFA options, such as the following set up, the user is not prompted for them at login. {: note}
Time-based one-time passcode authentication (TOTP)
: TOTP can be set up by using an authentication app. Before an account owner or administrator can enable this setting for a user on the User details page, the user must set up authentication by going to {{site.data.keyword.avatar}} icon 
> Profile > Login settings. If this setting is enabled for a user, they are prompted for the passcode during login. Users with access to manage their own login settings by having the User-managed login setting that is turned on from their User details page can turn on and off this MFA setting.
Security questions
: Users can set up answers to the security questions that are available by going to {{site.data.keyword.avatar}} icon > Profile > Login settings. The user must set up the security questions and answers before an account owner or administrator can enable this setting on the User details page. Users with access to manage their own login settings by having the User-managed login setting that is turned on from their User details page can turn on and off this MFA setting.
External authentication : Symantec is the only external, third-party authentication option that can be ordered for a monthly cost. An account owner or administrator must order this option for a user and enable it to be used from the User details page for the user. For Symantec, the administrator must work with the user to get that user's credential ID to complete the order. Users with access to manage their own login settings by having the User-managed login setting that is turned on from their User details page can turn on and off this MFA setting.
Password expiration : The password expiration is set to never by default. When you sign up for an account, you're never required to change your password. When you set a password expiration period, you're notified of your password expiration by email 14 days before, 7 days before, and the day the password is set to expire. This option is available only to users that log in with a SoftLayer ID. To update your password expiration, you must be an account owner or have the User-managed login setting that is turned on by your account administrator on your IAM User details page.