Relevant for: Enterprise plans
Set up by: Company Admins
Two-factor authentication (2FA) for organizations
2FA is an extra layer of protection used to ensure the security of online profiles beyond just a username and password. With 2FA, Enterprise Company admins can require users to provide an extra identity proofing layer when accessing their organization's Miro subscription. This applies to any users logging in with their email and password (external collaborators for companies with SSO or all users for organizations who do not have SSO configured).
Setting up enforced 2FA for your organization
✏️ Before you enable two-factor authentication, we recommend notifying the affected users, such as internal organization members and external collaborators, and sharing our 2FA end user guide.
How to enable 2FA for your users
- Go to Company settings > Security & Compliance > Authentication
- Toggle on Enforce 2FA for non-SSO usersEnforcing 2FA authentication for non-SSO users
Impact on user experience
- Non-SSO users will be prompted to set up their second factor upon their next login. They will not be logged out from any active sessions.
- Users need to configure 2FA using their mobile device and any time-based one-time password (TOTP) application such as Microsoft Authenticator, Google Authenticator, Authy, etc.
- Users authenticating with 2FA will have a maximum of 3 attempts to enter a valid TOTP code. If they exceed the third attempt, they must restart the authentication process.
- Note: 2FA login is possible on the mobile and tablet apps but registration is supported only on the browser and desktop applications.
Important to know
Enforcement of 2FA only applies to users authenticating with their email and password
- If an external collaborator to your Enterprise organization is already authenticating using SSO from their home organization, they will continue to access all the teams and boards in Miro using SSO
- If a user authenticates using a third-party login integration (i.e. Google, Microsoft, Slack), they will continue to access all the teams and boards in Miro using that login integration. Admins can encourage those users to set up a second factor in that method, but those users will not be prompted to set up a second factor in Miro’s authentication flow.
Administrators can track users who have set up 2FA, along with 2FA login successes and failures with the following audit log events:
- `mfa_setup_succeeded` - if a user has successfully set up their second factor
- Update to `sign_in_succeeded` event to include MfaFactorType attribute if a successful login is completed with 2FA
- Update to `sign_in_failed` event to include MfaFactorType attribute if a login with 2FA was unsuccessful due to the user exceeding the maximum number of attempts (non-technical failure)