How to enable Multi-factor authentication (MFA) in IBM Cloud
In this post you will learn how to implement multi-factor authentication in your IBM Cloud account by fortifying the security layer in your cloud environment.
- What is an IBMid
IBMid is a method of authentication with which multiple users can authenticate themselves to access IBM products such as IBM Cloud, IBM Watson Studio and more.
2. What is multi-factor authentication
Multi-factor authentication (MFA) is a mechanism that requires all users to authenticate using an additional method besides email and password.
IBM Cloud associates with each user’s IBMid and authenticates them to all accounts of which they are a member, but only does so once.
When MFA is enabled, the user additionally needs a one-time password (OTP) generated by an authenticator application or a physical token, with which the requested access will be provided.
3. Previous considerations
- Enabling MFA for all users affects all account members. If account users are members of multiple IBM Cloud accounts, they will have MFA enabled on their next login by default on all other accounts.
- API keys for users and service IDs will continue to work when MFA is enabled.
- MFA applies to a user’s login, but does not apply to API calls, if a user has permission to make API calls to account or multiple account resources, they can complete them without completing MFA.
- Before enabling MFA, it is important to plan the implementation of it together with your team within the account, so as not to alter the regular use they already have.
4. Planning to enable MFA
- Choose the date and time to enable MFA to have the least impact on your business.
- Notify your account users before and after enabling MFA with this information on how to set it up.
5. MFA enabling
Enabling MFA for the account
Step 1: In the IBM Cloud console, go to Manage → Access (IAM) → Settings.
Step 2: Select Authentication.
Step 3: Select the MFA type you want to enable on your account.
IBM Cloud MFA types:
- MFA for users with IBMid: Users authenticate using an IBMid, a password and a unique time-based access code (TOTP).
- MFA for all users (with or without an IBMid): Users authenticate using an email sended code, TOTP or U2F code.
Note: You can increase the security level by disabling the CLI login only with a username and password. The user will need an API key to login to the CLI or users can login with ibmcloud login — sso.
Enabling MFA for an individual user
Step 1: In the IBM Cloud console, go to Manage → Access (IAM) → Users and select the user whose MFA you want to update.
Step 2: Go to the MFA section and click the Edit icon.
Step 3: Select the type of MFA you want to enable (they are the same as mentioned above) and click Save.
6. Verification and authentication factors management
The first time users log in to each account after enabling MFA, they must set up their verification and authentication factors.
A verification method is responsible for verifying and validating your identity, and an authentication method is responsible for providing you with the tools to access your account.
You can add or remove verification methods and authentication factors, users may want to update these values if an email address or phone number you use to verify your identity or authenticate to IBM Cloud changes or becomes inaccessible.
Step 1: Log in to the Verification methods and authentication factors page.
Step 2: Select the Start button.
Step 3: Validate your identity with two different verification methods. You must verify your identity each time you access the Verification Methods and Authentication Factors page.
Step 4: Upon receiving the code, enter the value sent and press Verify.
Step 5: Repeat the process with the second authentication method.
You can add and remove verification methods that identify you as a user in the account. Be sure to add backup verification methods in case one of them is inaccessible. Verification methods are used each time you access the Verification Methods and Authentication Factors page. If a verification method is not being used, remove it.
If one or more verification methods are inaccessible and you cannot verify your identity, you can open a support case to restore these methods.
7. Adding a per-user verification method
Verification methods validate your identity, ensure that you add at least two verification methods.
Step 1: On the Verification methods and authentication factors page, click Manage verification methods.
Step 2: To add a new verification method click Add.
Step 3: Select a new verification method, name the method and specify the new phone number or email address, then press Send OTP. When submitting click Complete.
To delete a verification method, select the method and press Delete, then Yes to confirm.
8. Adding a per-user authentication method
If an account administrator enables MFA on at least one of the accounts of which they are a member, they must use an authentication factor, in addition to their username and password, to always securely log in to IBM Cloud.
These factors can be something you have, such as a U2F security key, or something you receive, such as a time-based one-time passcode (TOTP) or an OTP. Be sure to add backup authentication factors. This way, you can prevent losing access to IBM Cloud in the event that one of them becomes inaccessible.
Step 1: On the main page, select Show authentication factors, then click Add.
Step 2: Select an authentication factor type and specify a name:
Authentication factor types:
- U2F method: physical key registration.
- TOTP method: Temporary code registration through a secure authentication application.
- OTP via email method: Registration of a validation code via email.
For Email-based, specify the email address where you want to receive the OTPs.
Note: Remove an authentication factor if you no longer have access to it to ensure the security of your account.
9. Validate MFA access
Step 1: Log in to Manage → Access (IAM) → Configuration → Authentication in the IBM Cloud console.
Step 2: Validate the current MFA status of the users in your account:
Step 3: To check the complete MFA status at the user level in your account go to Manage → Access (IAM) → MFA Status.
10. References:
