Relevant for: Enterprise Plan
Set up by: Company Admins
Two-factor authentication (2FA) for organizations
2FA adds an extra layer of security to online profiles, going beyond just username and password. Enterprise Company Admins can mandate an additional proof of identity when users access their organization's Miro subscription. This requirement is applicable for all logins using email and password. For companies utilizing SSO, 2FA specifically includes external collaborators; for organizations without SSO, it extends to all users.
2FA will soon be available for local/private workspaces, including those requiring US data residency. Security for external collaborators is also enhanced, as 2FA is supported for users outside of the organization's domains.
Setting up enforced 2FA for your organization
✏️ Before activating two-factor authentication (2FA), it's important to inform all impacted users, including both members within your organization and external collaborators. To ensure a smooth transition, we suggest sharing our 2FA user guide to assist them through this process.
How to enable 2FA for your users
- Go to Company settings > Security & Compliance > Authentication
- Toggle on Enforce 2FA for non-SSO users
Enforcing 2FA authentication for non-SSO users
Trusting 2FA devices
If enabled, your 2FA users will be shown a checkbox which allows them to skip 2FA each time they sign in on that device for the next X days, where "X" is the time frame set by the administrator. You can allow user devices to be trusted for 7 to 90 days.
⚠️ If trusting 2FA devices is disabled, users will have to enter a 2FA code on every sign in. This will slow down the sign in experience.
2FA will be required again after the trusted period passes.
2FA will not be skipped if users sign in on a new device or browser or if they clear their browser cookies.
Impact on user experience
-
Non-SSO users will be prompted to set up their second factor during their next login. This process will not log them out from any ongoing sessions.
-
Users are required to configure 2FA using their mobile device along with a time-based one-time password (TOTP) application, such as Microsoft Authenticator, Google Authenticator, or Authy.
-
For users using 2FA, there is a limit of 3 attempts to enter a valid TOTP code. If this limit is exceeded, they will need to start the authentication process again.
-
While 2FA login is available on mobile and tablet apps, the initial registration process is supported exclusively on browser and desktop applications.
Important to know
Enforcement of 2FA only applies to users authenticating with their email and password or via magic links (sent via email).
- If an external collaborator to your Enterprise organization is already authenticating using SSO from their home organization, they will continue to access all the teams and boards in Miro using SSO.
-
When a user authenticates through a third-party login integration (e.g., Google, Microsoft, Slack), they will maintain access to all Miro teams and boards via that login method. Admins have the option to encourage these users to set up a second factor within their respective login integration. However, Miro's authentication flow will not prompt these users to set up a second factor.
Audit logs
Administrators can track users who have set up 2FA, along with 2FA login successes and failures with the following audit log events:
- `mfa_setup_succeeded` - if a user has successfully set up their second factor
- Update to `sign_in_succeeded` event to include MfaFactorType attribute if a successful login is completed with 2FA
- Update to `sign_in_failed` event to include MfaFactorType attribute if a login with 2FA was unsuccessful due to the user exceeding the maximum number of attempts (non-technical failure)