Multi-factor authentication (MFA) implementationSummary<!-- /*NS Branding Styles*/ --> .ns-kb-css-body-editor-container { p { font-size: 12pt; font-family: Lato; color: #000000; } span { font-size: 12pt; font-family: Lato; color: #000000; } h2 { font-size: 24pt; font-family: Lato; color: black; } h3 { font-size: 18pt; font-family: Lato; color: black; } h4 { font-size: 14pt; font-family: Lato; color: black; } a { font-size: 12pt; font-family: Lato; color: #00718F; } a:hover { font-size: 12pt; color: #024F69; } a:target { font-size: 12pt; color: #032D42; } a:visited { font-size: 12pt; color: #00718f; } ul { font-size: 12pt; font-family: Lato; } li { font-size: 12pt; font-family: Lato; } img { display: block; max-width: ; width: auto; height: auto; } } Beginning with the Yokohama release, multi-factor authentication (MFA) is enabled and required by default. This reflects our commitment to safeguard customer data and to align with industry standards and best practices. Existing customers: A default MFA policy is automatically enabled if the instance doesn’t already have an active adaptive authentication – MFA context policy. New customers: Instances newly provisioned with Yokohama or later are automatically enabled with MFA. Internal non-SSO users (using local and LDAP authentication): Must enroll in MFA. This change does not apply to users with the snc_external role. MFA is applied to: New instances (zBoot) Instances upgraded to Yokohama or later Production, non-production, development, and test instances Instances using local and LDAP authentication (username and password) Web and mobile applications MFA is not applied to: Single sign-on (SSO) like SAML, OIDC (OpenID Connect), or certificate-based authentication Integrations and API sign-ins Clone setup processUpdate set retrievalInstances with an active adaptive authentication – MFA context policy In this article Enrollment timeline Enrollment notifications Admin customization options MFA exemption Reset MFA for a user Enrollment timeline The following criteria applies to internal users signing in with local or LDAP authentication and who do not have the snc_external role. On a newly provisioned instance of Yokohama or later, new users: must enroll the first time they sign in Within 90 days of upgrading to Yokohama, existing users: see an enrollment notification remindermust enroll within 30 days of first successful sign-induring the 30-day period, they can sign in with user name and password After 90 days of upgrading to Yokohama, existing users: must enroll in MFA immediatelydo not have the 30-day self-enrollment window Note: For admins, see Admin customization options Enrollment notifications An enrollment notification at the top of the screen informs users of the MFA requirement and continues to display until MFA setup for that user is complete. Note: Enrollment notifications are not displayed for non-admin SSO users. Example enrollment notifications for users From the main UI page: From a user’s profile: Example enrollment notifications for admins The following enrollment notification is displayed for all admins, regardless of sign-in method. It continues to be displayed until acknowledged. To acknowledge the update: In the upper-right corner of the screen, select the Acknowledge link.Set the following Value field to true: glide.authenticate.multifactor.enforcement.acknowledged Admin customization options Self-enrollment window The default 30-day self-enrollment timeline is controlled using the system property: glide.authenticate.multifactor.self_enrolment_period Minimum setting is 0. They must complete the MFA set up the first time they sign in. Maximum setting is 90 days. Post-upgrade enforcement window The default 90-day post-upgrade timeline (for users who do not sign in within the first 90 days of upgrade) is controlled using the system property: glide.authenticate.multifactor.enforcement.max_relaxation_period By updating this value, admins can decide how many days post-upgrade to Yokohama or a later release that the MFA self-enrollment window displays for a user. This can be extended to up to 270 days. Enrollment notifications Admins can change the following notification properties: To turn off user notifications, set the following system property to false: Glide.authenticate.multifactor.enforcement.show_user_info_message To turn off admin notifications, set the following system property to true: Glide.authenticate.multifactor.enforcement.acknowledged MFA exemption As part of the Yokohama release, a new user group, MFA Exempted User Group, has been created. Users added to this group will not have MFA enforced. For details on how to add a user to this group, refer to Section 5 of this FAQ Article. Reset MFA for a user A system administrator can reset the MFA for a user by following these steps. Step 1: Clear the Authenticator app setup. Go to Multi-factor Authentication > User Multi-factor Setup Search for the user in the table. Delete the associated user record. Step 2: Clear the FIDO2 authenticators and passkeys. Go to Multi-factor Authentication > Web Authentication > User Public Credentials Search for the user in the table. Delete the associated user records. Step 3: Clear other multi-factor setups related to the user. Go to Multi-factor Authentication > User Recent Used Factors Search for the user in the table. Delete the associated user records. Release<!-- /*NS Branding Styles*/ --> .ns-kb-css-body-editor-container { p { font-size: 12pt; font-family: Lato; color: #000000; } span { font-size: 12pt; font-family: Lato; color: #000000; } h2 { font-size: 24pt; font-family: Lato; color: black; } h3 { font-size: 18pt; font-family: Lato; color: black; } h4 { font-size: 14pt; font-family: Lato; color: black; } a { font-size: 12pt; font-family: Lato; color: #00718F; } a:hover { font-size: 12pt; color: #024F69; } a:target { font-size: 12pt; color: #032D42; } a:visited { font-size: 12pt; color: #00718f; } ul { font-size: 12pt; font-family: Lato; } li { font-size: 12pt; font-family: Lato; } img { display: block; max-width: ; width: auto; height: auto; } } Yokohama or a later release Related Links<!-- /*NS Branding Styles*/ --> .ns-kb-css-body-editor-container { p { font-size: 12pt; font-family: Lato; color: #000000; } span { font-size: 12pt; font-family: Lato; color: #000000; } h2 { font-size: 24pt; font-family: Lato; color: black; } h3 { font-size: 18pt; font-family: Lato; color: black; } h4 { font-size: 14pt; font-family: Lato; color: black; } a { font-size: 12pt; font-family: Lato; color: #00718F; } a:hover { font-size: 12pt; color: #024F69; } a:target { font-size: 12pt; color: #032D42; } a:visited { font-size: 12pt; color: #00718f; } ul { font-size: 12pt; font-family: Lato; } li { font-size: 12pt; font-family: Lato; } img { display: block; max-width: ; width: auto; height: auto; } } MFA (multi-factor authentication) context Multi-factor authentication (MFA) enforcement FAQ Adaptive authentication-MFA context policy