IBM Cloud multifactor authentication
Multifactor authentication (MFA) adds a layer of security to your account by requiring all users to authenticate by using another authentication factor beyond an ID and password. MFA is also commonly known as two-factor authentication (2FA).
IBM Cloud is associated with each users' ID and authenticates them across all accounts that they are a member of, so they authenticate only one time.
IBM Cloud MFA applies to all resources in any type of account. When MFA is enabled, a user is prompted to provide a unique identifier (such as a username or email) and a one-time password (OTP) generated by an authenticator app or a hardware token. After the correct OTP is entered, access is granted to the requested resource. This type of MFA is much more secure than account-based MFA because it is not limited to classic infrastructure resources and applies to all resources within the account. It also reduces the risk of a breach because of a weak password or the use of the same password across multiple accounts.
Setting up MFA in IAM
To enhance account security, IAM enforces multi-factor authentication (MFA) requirements that users must configure and maintain. When MFA is required, users are guided through setting up verification and authentication methods that meet defined security levels, which ensures both flexibility and strong identity protection.
Users can manage their MFA and verification methods that use the Verification methods and authentication factors page. To access this page and make changes, users must authenticate that uses two configured verification methods.
To set up MFA in IAM, users must complete the following steps:
-
Set up at least two verification methods. Verification methods (such as email, text message, or phone call) are required to access and manage MFA settings through the Verification methods and authentication factors page.
-
Set up one MFA method that meets the required security level:
- Level 1: Email-based MFA
- Level 2: Time-based one-time password (TOTP)
- Level 3: Security key (U2F)
Users can always authenticate by using a higher-level MFA method, as higher levels provide stronger security.
Email, text message, and voice call verification methods use IBM Security Verify. Any limitations or restrictions that are defined by IBM Security Verify apply when you are using these verification methods. SMS and voice verification methods are available only in supported countries. For the list of supported countries, see Supported countries for SMS and voice
MFA options
As an administrator on the IAM Identity Service or All IAM Account Management services, you can enable MFA for the account or a specific user, and it applies to all account resources.
- You can update the MFA setting for your account by going to Manage > Access (IAM) > Settings > Authentication in the IBM Cloud® console. For more information, see Enabling MFA for an account.
- You can update the MFA setting for a specific user in your account by going to Manage > Access (IAM) > Users and clicking the user whose MFA you want to update. If you are a new user, use the ID-based MFA option to ensure that your login is secure. For more information, see Enabling MFA for an individual user.
MFA for users with an IBMid
Users authenticate by using an IBMid, password, and time-based one-time passcode (TOTP). You can enable this option for all users or only nonfederated users.
MFA for all users (IBMid and supported IdPs)
Users authenticate by using one of the following MFA factors. This option applies to all users, including users who are using an IBMid or an external identity provider (IdP), like App ID.
- Email-based MFA: Users authenticate by using a security passcode, which is sent by email.
- TOTP MFA: Users authenticate by using a TOTP.
- U2F MFA: Users authenticate by using a physical hardware-based security key. Based on the FIDO U2F standard, this factor offers the highest level of security.
None
All users log in by using only a standard ID and password, which offers the lowest level of security. To increase the level of security for this option, you can disable logging in to the CLI with only a username and password. This way, you
require an API key to log in to the CLI or users can log in with --sso.
Starting 3 May 2023, by default CLI logins with only a username and password are disabled for all users that have MFA set to None. This applies to users in new and existing accounts. Administrators can opt-out before that date in the IBM Cloud console. For more information, see Disabling CLI logins with only a password.
The following table lists the rules that users are going to be required to follow when authenticating through IAM > Settings > Authentication:
| API Constant | Labels used (Account default) | Labels used (This user) |
|---|---|---|
|
|
Nil | Account default |
| NONE | None | None |
| NONE_NORPC | None - No CLI | None - No CLI |
| TOTP4ALL | MFA for a user with an IBMid - Either | MFA for a user with an IBMid - Either |
| TOTP | MFA for a user with an IBMid - Nonfederated user | MFA for a user with an IBMid - Nonfederated user |
| LEVEL1 | MFA for a user with or without an IBMid - Email-based MFA | MFA for a user with or without an IBMid - Email-based MFA |
| LEVEL2 | MFA for a user with or without an IBMid - TOTP MFA | MFA for a user with or without an IBMid - TOTP MFA |
| LEVEL3 | MFA for a user with or without an IBMid - U2F MFA | MFA for a user with or without an IBMid - U2F MFA |
The following table lists the rules that the users (IAM > Users > Details) are required to authenticate:
| API Constant | MFA | User specific MFA |
|---|---|---|
|
|
Nil | Nil |
| NONE | No MFA | None |
| NONE_NORPC | No MFA, disabled CLI logins | No CLI |
| TOTP4ALL | MFA for all users | MFA for all users with an IBMid (All) |
| TOTP | MFA for a user with an IBMid | MFA for users with an IBMid (Nonfederated users) |
| LEVEL1 | Email-based MFA | Email-based MFA |
| LEVEL2 | TOTP MFA | TOTP MFA |
| LEVEL3 | U2F MFA | U2F MFA |
The following table lists the rules that the users (IAM > Enterprise >Templates > IAM settings) are required to authenticate:
| API Constant | Overview | Authentication |
|---|---|---|
|
|
Nil | Nil |
| NONE |
|
No MFA |
| NONE_NORPC | None - No CLI | No MFA, disabled CLI logins |
| TOTP4ALL | MMFA for a user with an IBMid - Either | MFA for all users |
| TOTP | MFA for a user with an IBMid - Nonfederated user | MFA for a user with an IBMid |
| LEVEL1 | MFA for a user with or without an IBMid - Email-based MFA | Email-based MFA |
| LEVEL2 | MFA for a user with or without an IBMid - TOTP MFA | TOTP MFA |
| LEVEL3 | MFA for a user with or without an IBMid - U2F MFA | U2F MFA |