Understand multi-factor authentication (MFA) related settings and its impact on user loginSummaryCore MFA settings We have some excellent production documentation about multi-factor authentication. You can checkout exploring the MFA, authentication criteria and other documents. Once an instance user activates MFA (i.e. successfully setup multi-factor authentication), the following happens: The user's enabled_multifactor_authn field (i.e. Enable Multifactor Authentication) is set to true An entry (row) about the user is added to the user_multifactor_auth table which sets the validated field to true The multi-factor criteria role-based approach also determines how MFA comes into play when a user logs in. Any user who has a role that matches the following role based setup should ideally go through MFA setup/validation flow when they subsequently re-login. In the following section we will analyse how these settings impact the MFA experience. MFA settings with local login enabled_multifactor_auth (sys_user)Multi-factor criteria role basedvalidated (user_multifactor_auth)Observationtruematching user_role presenttrueUser goes through MFA validation screen (Fig 1)truematching user_role absenttrueUser goes through MFA validation screen (Fig 1)falsematching user_role presentfalse or no entry in the tableUser goes through MFA setup screen (Fig 2)falsematching user_role absentfalse or no entry in the tableUser does not go through MFA setup/validation screen. The user is taken directly to the home pagetruematching user_role absentfalse or no entry in the tableUser goes through MFA setup screen (Fig 2) Fig 1 Fig 2 Known issues related to MFA enabled instances A source instance with MFA enabled users could potentially run into MFA validation issues on the cloned instance. To alleviate such issues it is advisable to disable the enabled_multifactor_auth field in the sys_user table for specific users and then initiate the clone instance process. Once the clone is complete, you can then enable the enabled_multifactor_auth field in the sys_user table for the same set of specific users and clear their entries from the user_multifactor_auth table or disable their validated field (by setting it to false). When they re-login in the source instance, they will be asked to go through MFA setup flow. On the cloned instance, they will be asked to go through MFA setup flow. You can alternatively reference articles that talk more about excluder/preserver settings (which is out of scope of this article) and the repair of MFA plugin before initiating a clone of an instance. MFA settings with SSO login Once you have enabled MFA following this guide, the following material will walk you through how MFA interplays with a SSO login user. In the above screenshot, user, fred.luddy, has an associated SSO login. The corresponding entry for the user in the user_multifactor_auth table is as follows: and the user's role is part of the check for MFA: Once the user authenticates themselves using the external SSO provider, they are redirected back to the instance and based on the above settings, since the user has the sys_user enabled_multifactor_auth field set to false and user_multifactor_auth validated field set to false, they will be shown the MFA setup screen (refer Fig 2 above) The user can then setup their MFA using one of the listed options. NOTE: If the user's role is not part of the role based MFA check, then the user will not be presented with the MFA setup/validation screen.