{"id":644652,"date":"2024-02-08T16:49:56","date_gmt":"2024-02-09T00:49:56","guid":{"rendered":"https:\/\/www.esri.com\/about\/newsroom\/?post_type=arcuser&p=644652"},"modified":"2024-02-08T16:49:56","modified_gmt":"2024-02-09T00:49:56","slug":"configure-multifactor-authentication-for-arcgis-logins","status":"publish","type":"arcuser","link":"https:\/\/www.esri.com\/about\/newsroom\/arcuser\/configure-multifactor-authentication-for-arcgis-logins","title":{"rendered":"Configure Multifactor Authentication for ArcGIS Logins"},"author":1031,"featured_media":0,"menu_order":0,"template":"","format":"standard","meta":{"_acf_changed":false,"sync_status":"","episode_type":"","audio_file":"","castos_file_data":"","podmotor_file_id":"","cover_image":"","cover_image_id":"","duration":"","filesize":"","filesize_raw":"","date_recorded":"","explicit":"","block":"","itunes_episode_number":"","itunes_title":"","itunes_season_number":"","itunes_episode_type":"","_links_to":"","_links_to_target":""},"categories":[10392,25012],"tags":[487962,487952,134012],"arcuser_issues":[487872],"class_list":["post-644652","arcuser","type-arcuser","status-publish","format-standard","hentry","category-arcgis-online","category-managers-corner","tag-mfa","tag-multifactor-authentication","tag-security","arcuser_issues-winter-2024"],"acf":{"short_description":"Multifactor authentication (MFA) is a security measure that is highly recommended to protect your ArcGIS accounts and sensitive information. ","pdf":{"host_remotely":false,"file":645012,"file_url":""},"flexible_content":[{"acf_fc_layout":"content","content":"Multifactor authentication (MFA) is a security measure that is highly recommended to protect your accounts and sensitive information. MFA provides increased security by requesting additional verification information when members sign in, such as a code obtained from an authenticator app.\r\n\r\nBy configuring MFA, you can significantly enhance your organization\u2019s security by preventing unauthorized access even if someone manages to obtain login credentials. Multifactor authentication is an essential, often mandatory, part of your organization\u2019s security needs.\r\n\r\nThis article focuses on configuring MFA for ArcGIS logins only. For other supported login methods, please check with your identity provider.\r\n

About Organization Logins<\/h3>\r\nYour organization can be configured to allow members to sign in using a variety of methods, such as ArcGIS logins, Security Assertion Markup Language (SAML) logins, OpenID Connect logins, and social logins.\r\nIn the Logins section on the Security tab of your organization settings, you can set login options and reorder them. Click Show login screen to view the current settings.\r\n\r\nOrganization settings for MFA are only for ArcGIS logins and can only be configured by administrators or others with sufficient privileges. MFA for other methods other than ArcGIS logins must be configured via their respective identity providers.\r\nFor more information, see Configure security settings: Login<\/a>s.\r\n\r\n "},{"acf_fc_layout":"image","image":645022,"image_position":"center","orientation":"horizontal","hyperlink":""},{"acf_fc_layout":"content","content":"

Enable MFA<\/h3>\r\nYou can enable MFA for your organization by choosing the Organization tab > Settings > Security. Scroll down to Multifactor authentication. If you have not done so already, when you toggle MFA, you will be prompted to designate at least two administrators who will receive email requests to troubleshoot members' MFA issues. You can designate as many administrators as desired. This ensures that at larger organizations, especially those covering multiple time zones, administrative help will be available if needed.\r\n\r\nOnce MFA has been enabled, you can optionally allow the use of recovery codes for organization members. Recovery codes are one-time-use codes that provide second-step verification when members lose access to their authenticator app or security keys.\r\nWithout these recovery codes, members must contact organization administrators to sign in if their configured authenticator app or security keys are unavailable. Members using recovery codes are responsible for properly storing the information.\r\n\r\nOnce Enable multifactor authentication for organization is toggled on, MFA is optional for members using ArcGIS logins unless enforced (see section below). MFA can be configured by individual organization members if they choose to do so. This setting can be found on the Security tab in the member profile settings. Members can click Enable to set up MFA for their account.\r\n\r\nOnce MFA has been enabled, administrators will see an MFA adoption status chart, showing how many members have set up multifactor authentication. This provides useful metrics for adoption and for moving forward with enforcement.\r\n\r\n "},{"acf_fc_layout":"image","image":645042,"image_position":"center","orientation":"horizontal","hyperlink":""},{"acf_fc_layout":"content","content":"

Enforcing Multifactor Authentication<\/h3>\r\nMFA provides the highest level of security when it is enforced throughout your organization. Enforcement will require all members with ArcGIS logins to adopt MFA when signing in. Once you enable MFA you will see an option to enforce it, as well as an option to create a member exemption list that removes listed members from enforcement.\r\n\r\nClick Enforce MFA to enforce MFA for ArcGIS logins. An information pane will display that underscores the considerations and immediate implications of MFA enforcement.\r\n

Things to Consider<\/h3>\r\nAll currently signed-in members using ArcGIS logins that have not configured MFA\u2014whether they are administrators, field data collectors, or other members of your organization\u2014will be forced out and will need to sign in again using MFA.\r\n\r\nWhen members sign in again, they will be required to use a Time-based One-Time Password (TOTP) authenticator app, such as Okta Authenticator, Google Authenticator, Microsoft Authenticator, or another app to set up MFA. If an exemption list has been configured, additional charts will be displayed that let you track MFA adoption and show the status of required and exempt members.\r\n\r\nSince this option circumvents multifactor authentication, it should be used only when special circumstances exist\u2014for example, when a member needs additional time to procure and set up a device, is out in the field and does not have the means to set up MFA, or other similar situations.\r\n

Member Experience When MFA Is Enforced<\/h3>\r\nWhen MFA is enforced, all members using ArcGIS logins will need to use MFA to sign in to the organization. Members currently signed in with ArcGIS logins who have not set up MFA will be signed out immediately. All members using ArcGIS logins who have not set up MFA will be guided through the setup process the next time they sign in and will need to have access to a TOTP authenticator app for completion.\r\n\r\nNote that current activities, such as field data collection, map authoring, or analysis, may be interrupted. Best practices for ensuring minimal disruption of organization activities are listed in the best practices and considerations section below.\r\n\r\nThose signing in for the first time after enforced MFA will be presented with a QR Code, used to configure the authenticator application. Use your camera via the authenticator app to complete the configuration. Once configured, the authenticator application can be used to generate the required code, providing secure sign-in access. After successfully entering the security code, if the option Allow use of recovery codes for members in the organization has been enabled, members signing in for the first time will be prompted to save the recovery codes (which they must acknowledge) and optionally register a security key.\r\n\r\nSecurity keys can include USB devices, face recognition, a fingerprint, or other options. Security keys can be used as a second factor during authentication, following the first factor of a valid username and password. Members are highly encouraged to configure one or more security keys. Security keys are considered the best choice for preventing phishing attacks, while reducing the time for members to authenticate their identities.\r\n\r\nMembers can also go to the MFA section of their Security tab in their member profile settings to obtain recovery codes or register security keys for the second factor.\r\n\r\n "},{"acf_fc_layout":"image","image":645052,"image_position":"center","orientation":"horizontal","hyperlink":""},{"acf_fc_layout":"content","content":"

Best Practices and Considerations<\/h3>\r\nWhen implementing MFA, test the waters. If you are unsure about the impacts of MFA across your organization, you can set it up without enforcing it. This gives members the option to try it out and the ability to provide feedback. You can gauge adoption via the MFA adoption chart. Once you\u2019ve reached a threshold of adoption, you can move forward with enforcing multifactor authentication.\r\n\r\nPlan ahead for multifactor authentication, especially if you will enforce it. Enforcing MFA will automatically sign out any members with ArcGIS logins who have not yet enabled multifactor authentication, which will interrupt ongoing work and processes including field data workflows and analysis workflows.\r\n\r\nTo avoid unwanted disruptions, you can temporarily add members to the MFA exemption list. Members may also be unfamiliar with how MFA works and need some time to install an authenticator app. Forward planning will minimize any confusion and interruptions.\r\n

Communicate Your Plans<\/h3>\r\nCommunicate in advance your intention to implement MFA and provide a target date. You can leverage the Information banner and Access notice settings to get the word out to members using ArcGIS logins. These settings are found on the Security tab of your organization settings.\r\n\r\nNote that information banners are visible to anyone, including visitors to your site, so they may not be the best way to communicate these changes. Access notices, which are only shown when members sign in, may be the better choice. For more information on how to use both banners and access notices, read the blog post \u201cGet the word out: Use information banners and access notices in your ArcGIS organization<\/a>.\"\r\n

Offer TOTP App Suggestions<\/h3>\r\nA wide variety of TOTP authenticator apps are available. Organization members may be unfamiliar with the options, so coming up with suggestions (perhaps with guidance from your IT department) will ease the confusion.\r\n

Ensure the Highest Level of Security<\/h3>\r\nYour reasons for implementing MFA are based on a need or the requirement to increase the security of your organization. With that in mind, enforcing MFA is the logical choice and so is encouraging members to use security keys. Ensuring compliance and best practices for members is a worthy goal when it comes to security. Adopting MFA is a significant step toward increased security, benefiting both users and organizations.\r\n\r\nFor more information, see these sections of the help documentation:\r\nSign in<\/a>\r\nConfigure security setting<\/a>s\r\nView your settings<\/a>"}],"references":null},"yoast_head":"\nImprove security with MFA<\/title>\n<meta name=\"description\" content=\"By configuring multifactor authentication, you can significantly enhance your organization\u2019s security by preventing unauthorized access even if someone manages to obtain login credentials.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.esri.com\/about\/newsroom\/arcuser\/configure-multifactor-authentication-for-arcgis-logins\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Configure Multifactor Authentication for ArcGIS Logins\" \/>\n<meta property=\"og:description\" content=\"By configuring multifactor authentication, you can significantly enhance your organization\u2019s security by preventing unauthorized access even if someone manages to obtain login credentials.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.esri.com\/about\/newsroom\/arcuser\/configure-multifactor-authentication-for-arcgis-logins\" \/>\n<meta property=\"og:site_name\" content=\"Esri\" \/>\n<meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/esrigis\/\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.esri.com\/about\/newsroom\/app\/uploads\/2024\/01\/MFA_banner.jpg\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:site\" content=\"@Esri\" \/>\n<meta name=\"twitter:label1\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data1\" content=\"7 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\n\t \"@context\": \"https:\/\/schema.org\",\n\t \"@graph\": [\n\t {\n\t \"@type\": \"WebPage\",\n\t \"@id\": \"https:\/\/www.esri.com\/about\/newsroom\/arcuser\/configure-multifactor-authentication-for-arcgis-logins\",\n\t \"url\": \"https:\/\/www.esri.com\/about\/newsroom\/arcuser\/configure-multifactor-authentication-for-arcgis-logins\",\n\t \"name\": \"Improve security with MFA\",\n\t \"isPartOf\": {\n\t \"@id\": \"https:\/\/www.esri.com\/about\/newsroom\/#website\"\n\t },\n\t \"datePublished\": \"2024-02-09T00:49:56+00:00\",\n\t \"description\": \"By configuring multifactor authentication, you can significantly enhance your organization\u2019s security by preventing unauthorized access even if someone manages to obtain login credentials.\",\n\t \"breadcrumb\": {\n\t \"@id\": \"https:\/\/www.esri.com\/about\/newsroom\/arcuser\/configure-multifactor-authentication-for-arcgis-logins#breadcrumb\"\n\t },\n\t \"inLanguage\": \"en-US\",\n\t \"potentialAction\": [\n\t {\n\t \"@type\": \"ReadAction\",\n\t \"target\": [\n\t \"https:\/\/www.esri.com\/about\/newsroom\/arcuser\/configure-multifactor-authentication-for-arcgis-logins\"\n\t ]\n\t }\n\t ]\n\t },\n\t {\n\t \"@type\": \"BreadcrumbList\",\n\t \"@id\": \"https:\/\/www.esri.com\/about\/newsroom\/arcuser\/configure-multifactor-authentication-for-arcgis-logins#breadcrumb\",\n\t \"itemListElement\": [\n\t {\n\t \"@type\": \"ListItem\",\n\t \"position\": 1,\n\t \"name\": \"Home\",\n\t \"item\": \"https:\/\/www.esri.com\/about\/newsroom\"\n\t },\n\t {\n\t \"@type\": \"ListItem\",\n\t \"position\": 2,\n\t \"name\": \"Configure Multifactor Authentication for ArcGIS Logins\"\n\t }\n\t ]\n\t },\n\t {\n\t \"@type\": \"WebSite\",\n\t \"@id\": \"https:\/\/www.esri.com\/about\/newsroom\/#website\",\n\t \"url\": \"https:\/\/www.esri.com\/about\/newsroom\/\",\n\t \"name\": \"Esri\",\n\t \"description\": \"Esri Newsroom\",\n\t \"potentialAction\": [\n\t {\n\t \"@type\": \"SearchAction\",\n\t \"target\": {\n\t \"@type\": \"EntryPoint\",\n\t \"urlTemplate\": \"https:\/\/www.esri.com\/about\/newsroom\/?s={search_term_string}\"\n\t },\n\t \"query-input\": {\n\t \"@type\": \"PropertyValueSpecification\",\n\t \"valueRequired\": true,\n\t \"valueName\": \"search_term_string\"\n\t }\n\t }\n\t ],\n\t \"inLanguage\": \"en-US\"\n\t },\n\t {\n\t \"@type\": \"Person\",\n\t \"@id\": \"https:\/\/www.esri.com\/about\/newsroom\/#\/schema\/person\/82e5143bcdebadf8fd64d84e503ca468\",\n\t \"name\": \"Monica Pratt\",\n\t \"image\": {\n\t \"@type\": \"ImageObject\",\n\t \"inLanguage\": \"en-US\",\n\t \"@id\": \"https:\/\/www.esri.com\/about\/newsroom\/#\/schema\/person\/image\/\",\n\t \"url\": \"https:\/\/www.esri.com\/about\/newsroom\/app\/uploads\/2018\/08\/MonicaMug_agol2.jpg\",\n\t \"contentUrl\": \"https:\/\/www.esri.com\/about\/newsroom\/app\/uploads\/2018\/08\/MonicaMug_agol2.jpg\",\n\t \"caption\": \"Monica Pratt\"\n\t },\n\t \"description\": \"Monica Pratt is the founding and current editor of ArcUser magazine, the executive editor of ArcNews magazine, the editor of Esri Globe and head of the Publications team at Esri. She has been writing on technology topics, specializing in GIS, for more than 30 years. Before joining Esri in 1997, she worked for newspapers and in the financial industry.\",\n\t \"sameAs\": [\n\t \"https:\/\/x.com\/ArcUser\"\n\t ],\n\t \"url\": \"\"\n\t }\n\t ]\n\t}<\/script>\n<!-- \/ Yoast SEO Premium plugin. -->","yoast_head_json":{"title":"Improve security with MFA","description":"By configuring multifactor authentication, you can significantly enhance your organization\u2019s security by preventing unauthorized access even if someone manages to obtain login credentials.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.esri.com\/about\/newsroom\/arcuser\/configure-multifactor-authentication-for-arcgis-logins","og_locale":"en_US","og_type":"article","og_title":"Configure Multifactor Authentication for ArcGIS Logins","og_description":"By configuring multifactor authentication, you can significantly enhance your organization\u2019s security by preventing unauthorized access even if someone manages to obtain login credentials.","og_url":"https:\/\/www.esri.com\/about\/newsroom\/arcuser\/configure-multifactor-authentication-for-arcgis-logins","og_site_name":"Esri","article_publisher":"https:\/\/www.facebook.com\/esrigis\/","og_image":[{"url":"https:\/\/www.esri.com\/about\/newsroom\/app\/uploads\/2024\/01\/MFA_banner.jpg","type":"","width":"","height":""}],"twitter_card":"summary_large_image","twitter_site":"@Esri","twitter_misc":{"Est. reading time":"7 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"WebPage","@id":"https:\/\/www.esri.com\/about\/newsroom\/arcuser\/configure-multifactor-authentication-for-arcgis-logins","url":"https:\/\/www.esri.com\/about\/newsroom\/arcuser\/configure-multifactor-authentication-for-arcgis-logins","name":"Improve security with MFA","isPartOf":{"@id":"https:\/\/www.esri.com\/about\/newsroom\/#website"},"datePublished":"2024-02-09T00:49:56+00:00","description":"By configuring multifactor authentication, you can significantly enhance your organization\u2019s security by preventing unauthorized access even if someone manages to obtain login credentials.","breadcrumb":{"@id":"https:\/\/www.esri.com\/about\/newsroom\/arcuser\/configure-multifactor-authentication-for-arcgis-logins#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.esri.com\/about\/newsroom\/arcuser\/configure-multifactor-authentication-for-arcgis-logins"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/www.esri.com\/about\/newsroom\/arcuser\/configure-multifactor-authentication-for-arcgis-logins#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.esri.com\/about\/newsroom"},{"@type":"ListItem","position":2,"name":"Configure Multifactor Authentication for ArcGIS Logins"}]},{"@type":"WebSite","@id":"https:\/\/www.esri.com\/about\/newsroom\/#website","url":"https:\/\/www.esri.com\/about\/newsroom\/","name":"Esri","description":"Esri Newsroom","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.esri.com\/about\/newsroom\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Person","@id":"https:\/\/www.esri.com\/about\/newsroom\/#\/schema\/person\/82e5143bcdebadf8fd64d84e503ca468","name":"Monica Pratt","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.esri.com\/about\/newsroom\/#\/schema\/person\/image\/","url":"https:\/\/www.esri.com\/about\/newsroom\/app\/uploads\/2018\/08\/MonicaMug_agol2.jpg","contentUrl":"https:\/\/www.esri.com\/about\/newsroom\/app\/uploads\/2018\/08\/MonicaMug_agol2.jpg","caption":"Monica Pratt"},"description":"Monica Pratt is the founding and current editor of ArcUser magazine, the executive editor of ArcNews magazine, the editor of Esri Globe and head of the Publications team at Esri. She has been writing on technology topics, specializing in GIS, for more than 30 years. Before joining Esri in 1997, she worked for newspapers and in the financial industry.","sameAs":["https:\/\/x.com\/ArcUser"],"url":""}]}},"sort_order":"17","_links":{"self":[{"href":"https:\/\/www.esri.com\/about\/newsroom\/wp-json\/wp\/v2\/arcuser\/644652","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.esri.com\/about\/newsroom\/wp-json\/wp\/v2\/arcuser"}],"about":[{"href":"https:\/\/www.esri.com\/about\/newsroom\/wp-json\/wp\/v2\/types\/arcuser"}],"author":[{"embeddable":true,"href":"https:\/\/www.esri.com\/about\/newsroom\/wp-json\/wp\/v2\/users\/1031"}],"version-history":[{"count":0,"href":"https:\/\/www.esri.com\/about\/newsroom\/wp-json\/wp\/v2\/arcuser\/644652\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.esri.com\/about\/newsroom\/wp-json\/wp\/v2\/media?parent=644652"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.esri.com\/about\/newsroom\/wp-json\/wp\/v2\/categories?post=644652"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.esri.com\/about\/newsroom\/wp-json\/wp\/v2\/tags?post=644652"},{"taxonomy":"arcuser_issues","embeddable":true,"href":"https:\/\/www.esri.com\/about\/newsroom\/wp-json\/wp\/v2\/arcuser_issues?post=644652"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}