About Multi-Factor Authentication

Multi-factor authentication (MFA) provides an additional layer of verification for Anypoint Platform users. MuleSoft requires MFA when users access Anypoint Platform, either directly with their Anypoint credentials or via single sign-on (SSO). MFA is enabled for direct signins and can’t be turned off at the organization level. However, a few service account types don’t require MFA. An organization administrator should waive MFA for these accounts so that existing integrations can continue without interruption. For SSO users, set up MFA through the identity provider.

When a user signs in with their Anypoint credentials, they must enter their password and then verify their identity with one of these verification methods:

Third-party TOTP authenticator apps
Built-in authenticator
Security key
Salesforce Authenticator

Multi-Factor Authentication Requirements for Salesforce and MuleSoft Products

Effective February 1, 2022, MFA must be enabled for all of your Anypoint Platform users. To learn more about this contractual requirement, see the Salesforce Multi-Factor Authentication FAQ
As of October 29, 2022, all non-SSO accounts that do not have MFA configured are prompted to register for an MFA verification method and use it to sign in to Anypoint Platform.

Multi-Factor Authentication Verification Methods

You can configure at least one of the following verification methods to comply with multi-factor authentication requirements:

Third-party TOTP authenticator app: Registers an authenticator app to create verification codes that you provide when you sign in to Anypoint Platform.
Built-in authenticator: Registers a physical authentication device, such as Touch ID or Windows Hello, to verify your identity when you sign in to Anypoint Platform.
Security key: Registers a security key, such as Yubico YubiKey or Google Titan Security Key, to your account. Connect the security key to your computer to verify your identity when you sign in to Anypoint Platform.
Salesforce Authenticator: Registers the Salesforce Authenticator mobile app to send you push notifications verifying your identity when you sign in to Anypoint Platform.

Exclude Exempt Accounts from Multi-Factor Authentication

These types of service accounts are exempt from the requirement to use MFA:

Test automation tools, such as Selenium, Cucumber, or Appium
Robotic Process Automation (RPA) systems, such as Automation Anywhere

MuleSoft requires customers to use internal connected apps instead of service accounts that make programmatic calls to Anypoint Platform. Connected apps provide more security and control than service accounts. If you’re having trouble switching to connected apps, reach out to Mulesoft for help. In the meantime, if you’re in this situation, you can temporarily waive MFA for your existing service accounts until they’re transitioned to connected apps.

To prevent service disruptions, waive MFA for valid MFA-exempt accounts in your organization. Note that after August 1, 2023, waiving MFA for user accounts isn’t permitted.

Sign in to Anypoint Platform using an account that has the Organization Administrator permission.
In the navigation bar or the main Anypoint Platform page, click Access Management.
In the Business Groups menu, select your root organization.
In the Access Management navigation menu, click Identity Providers.
Click your Anypoint identity provider.
In the Exempt Accounts section, add the accounts that are valid to exclude from MFA.
Only accounts that do not use single sign-on (SSO) appear in this list.
Click Save.
The exempt accounts appear in the Exempt Accounts section.

You can later remove user accounts from the Exempt Accounts list by clicking X next to their account names.

Manage Multi-Factor Authentication for Your Account

You can modify the verification methods that you use to sign in. You must register at least one method to use MFA.

To modify verification methods in your account:

Sign in to Anypoint Platform.
In the Anypoint Platform navigation bar, click the circle icon that contains the initials associated with your Anypoint Platform account.
In the drop-down, click Profile.
Click Configure multi-factor authentication (MFA).
The Manage Your Verification Methods interface appears.
If you want to register an additional verification method:
1. Next to the verification method you want to configure, click Add.
2. Follow the instructions to configure your preferred verification method.
3. Click Done.
If you want to modify the name of an existing verification method:
1. Click the pencil icon next to the verification method that you want to rename.
2. Enter a new name for your verification method.
3. Click the checkmark.
4. Click Done.
If you want to remove a verification method:
1. Next to the verification method you want to remove, click the bin icon.
2. Click Yes
3. Click Done.
  
  If you have removed all verification methods, you must configure at least one verification method before you save your changes.
Click Save.

Reset Multi-Factor Authentication for Individual Users

You can reset multi-factor authentication for individual users if a device is compromised or lost. If you are the only organization member with Organization Administrator permission and have lost access to your verification methods, contact customer support.

To reset multi-factor authentication for an individual user:

Sign in to Anypoint Platform using an account that has the Organization Administrator permission.
In the navigation bar or the main Anypoint Platform page, click Access Management.
In the Business Groups menu, select your root organization.
In the Access Management navigation menu, click Users.
Click the user whose multi-factor authentication configuration you want to reset.
Click Reset multi-factor authentication.
Click Confirm reset MFA.
Next time the user signs in to Anypoint Platform, they are prompted to configure a new verification method.