About Multi-Factor Authentication
Multi-factor authentication (MFA) provides an additional layer of verification for Anypoint Platform users. By default, MFA is required for all user accounts except accounts that use single sign-on (SSO). However, as an organization administrator, you can exempt specific user accounts from the multi-factor authentication requirement in order to allow existing integrations to continue operating without interruption. SSO users should configure multi-factor authentication through their identity provider.
Users must verify their Anypoint Platform credentials using at least one of four verification methods:
-
Third-party TOTP authenticator apps
-
Built-in authenticator
-
Security key
-
Salesforce Authenticator
Multi-factor Authentication Requirements for Salesforce and MuleSoft Products
-
Beginning February 1, 2022, MFA must be enabled for all of your Salesforce users. To learn more about this requirement, see the Salesforce Multi-Factor Authentication FAQ
-
Beginning October 29, 2022, all non-SSO accounts that do not have MFA configured or are not on your organization’s exemption list are prompted to configure MFA when they log in to Anypoint Platform.
Multi-Factor Authentication Verification Methods
You can configure at least one of the following verification methods to comply with multi-factor authentication requirements:
- Third-party TOTP authenticator app
-
Registers an authenticator app to create verification codes that you provide when logging in to Anypoint Platform.
- Built-in authenticator
-
Registers a physical authentication device, such as Touch ID or Windows Hello, to verify your identity when logging in to Anypoint Platform.
- Security key
-
Registers a USB security key, such as Yubico YubiKey or Google Titan Security Key, to your account. The device is then authorized to create verification codes that you provide when logging in to Anypoint Platform.
- Salesforce Authenticator
-
Registers the Salesforce Authenticator mobile app to create verification codes that you provide when logging in to Anypoint Platform.
Exempt Users from Multi-factor Authentication
To prevent service disruptions, identify any accounts (service accounts) that are used to programmatically call Anypoint Platform. However, it is best to use the Connected Apps feature to authorize apps to make programmatic calls to Anypoint Platform instead of using service accounts. Using the Connected Apps feature provides more security and control than using user accounts.
To exempt individual accounts from multi-factor authentication:
-
Log in to Anypoint Platform using an account that has the Organization Administrator permission.
-
In the navigation bar or the main Anypoint Platform page, click Access Management.
-
In the Business Groups menu, select your root organization.
-
In the Access Management navigation menu, click Identity Providers.
-
Click the name of the identity provider (or IdP) for which you want to manage multi-factor authentication.
-
In the Exempt Accounts section, add the accounts that you want to exempt.
Only users who do not use single sign-on (SSO) appear in this list. -
Click Save.
The exempt user accounts appear in the Exempt Accounts section.
You can later remove user accounts from the Exempt Accounts list by clicking X next to their account names.
Manage Multi-Factor Authentication for Your Account
You can modify the verification methods that you use to log in. You must register at least one method to use MFA.
To modify verification methods in your account:
-
Log in to Anypoint Platform.
-
In the Anypoint Platform navigation bar, click the circle icon that contains the initials associated with your Anypoint Platform account.
-
In the drop-down, click Profile.
-
Click Configure multi-factor authentication (MFA).
The Manage Your Verification Methods interface appears. -
If you want to register an additional verification method:
-
Next to the verification method you want to configure, click Add.
-
Follow the instructions to configure your preferred verification method.
-
Click Done.
-
-
If you want to modify the name of an existing verification method:
-
Click the pencil icon next to the verification method that you want to rename.
-
Enter a new name for your verification method.
-
Click the checkmark.
-
Click Done.
-
-
If you want to remove a verification method:
-
Next to the verification method you want to remove, click the bin icon.
-
Click Yes
-
Click Done.
If you have removed all verification methods, you must configure at least one verification method before you save your changes.
-
-
Click Save.
Reset Multi-Factor Authentication for Individual Users
You can reset multi-factor authentication for individual users if a device is compromised or lost. If you are the only organization member with Organization Administrator permission and have lost access to your verification methods, contact customer support.
To reset multi-factor authentication for an individual user:
-
Log in to Anypoint Platform using an account that has the Organization Administrator permission.
-
In the navigation bar or the main Anypoint Platform page, click Access Management.
-
In the Business Groups menu, select your root organization.
-
In the Access Management navigation menu, click Users.
-
Click the user whose multi-factor authentication configuration you want to reset.
-
Click Reset multi-factor authentication.
-
Click Confirm reset MFA.
Next time the user logs in to Anypoint Platform, they are prompted to configure a new verification method.