What is Multi-Factor Authentication (MFA)?
Multi-Factor Authentication (or MFA/2FA) is a feature that allows a user to provide two distinct pieces of evidence to a software solution to prove that you are who you say you are. Evidence includes supplying two of three factors at login time: something you know (like a password), something you have (like a smart card or soft token supplied via an app) or something you are (like a fingerprint or some other biometric marker). Credentials must be from two of these three factors – for example, providing two passwords is not considered MFA. In ArcGIS.com, multifactor authentication is implemented by requesting a verification code in addition to an ArcGIS Online organization name and password at login time.
Why should my organization use MFA?
Multi-Factor Authentication helps protect you and your organization by adding an additional layer of security to the login process, making it substantially more difficult for an unauthorized user to impersonate an authorized user when logging into ArcGIS Online. When MFA is enabled and configured, an unauthorized user needs to have both your username and password combination, and also access to your mobile device (which is assumed also requires a PIN or some biometric marker to access). Security Experts report that MFA is considered one of the top five best online security practices currently available. Using MFA can help prevent unauthorized access or changes to your ArcGIS Online organization, and can also help to prevent unauthorized modification or deletion of your organization’s content.
How is MFA implemented in ArcGIS Online?
Organizations can take advantage of this additional authentication and configure their organization to allow members to enable multifactor authentication on their ArcGIS Online accounts. To use this feature, organization members need to have an ArcGIS account and a mobile device with a supported authentication app installed on it.
In ArcGIS Online, two administrators must exist in the organization to configure MFA. This requirement is to help support the potential use case of an administrator themselves losing access to their own device and authentication app. It is strongly recommended that ArcGIS Online administrators enable MFA for their accounts, if not for all ArcGIS Online organization accounts.