New Vault OSS Now Includes Multi-factor Authentication! Learn more
  • Overview
    • Automated PKI Infrastructure
    • Data Encryption & Tokenization
    • Database Credential Rotation
    • Dynamic Secrets
    • Identity-based Access
    • Key Management
    • Kubernetes Secrets
    • Secrets Management
  • Enterprise
  • Tutorials
  • Docs
  • API
  • Community
GitHubTry Cloud
Download
    • v1.10.x (latest)
    • v1.9.x
    • v1.8.x
    • v1.7.x
    • v1.6.x
    • v1.5.x
    • v1.4.x
  • What is Vault?
  • Use Cases
    • CLI Quick Start
    • HCP Quick Start
    • Developer Quick Start

  • Browser Support
  • Installing Vault
    • Overview
    • Architecture
    • High Availability
    • Integrated Storage
    • Security Model
    • Telemetry
    • Token Authentication
    • Key Rotation
    • Replication
    • Limits and Maximums
    • Overview
    • 'Dev' Server
    • Seal/Unseal
    • Namespace API Lock
    • Lease, Renew, and Revoke
    • Authentication
    • Tokens
    • Identity
    • OIDC Provider
    • Response Wrapping
    • Policies
    • Password Policies
    • Username Templating
    • High Availability
    • Storage
      • Overview
      • Autopilot
    • PGP, GnuPG, and Keybase
    • Recovery Mode
    • Resource Quotas
      • Overview
      • FAQ
    • Transform
    • Mount Migration
    • Overview
      • Overview
      • TCP
    • replication
      • Overview
      • AliCloud KMS
      • AWS KMS
      • Azure Key Vault
      • GCP Cloud KMS
      • OCI KMS
      • HSM PKCS11 ENT
      • Vault Transit
    • sentinel
      • Overview
      • Consul
      • Kubernetes
      • Overview
      • Aerospike
      • Alicloud OSS
      • Azure
      • Cassandra
      • CockroachDB
      • Consul
      • CouchDB
      • DynamoDB
      • Etcd
      • Filesystem
      • FoundationDB
      • Google Cloud Spanner
      • Google Cloud Storage
      • In-Memory
      • Manta
      • MSSQL
      • MySQL
      • OCI Object Storage
      • PostgreSQL
      • Integrated Storage (Raft)
      • S3
      • Swift
      • Zookeeper
    • telemetry
    • ui
    • Log Completed Requests
    • Entropy Augmentation ENT
    • kms_library ENT
    • Overview
    • agent
      • Overview
      • disable
      • enable
      • list
      • Overview
      • disable
      • enable
      • help
      • list
      • move
      • tune
    • debug
    • delete
      • Overview
      • delete
      • destroy
      • enable-versioning
      • get
      • list
      • metadata
      • patch
      • put
      • rollback
      • undelete
      • Overview
      • lookup
      • renew
      • revoke
      • Overview
      • get
      • inspect
    • list
    • login
    • monitor
    • namespace
      • Overview
      • diagnose
      • generate-root
      • init
      • key-status
      • members
      • migrate
      • raft
      • rekey
      • rotate
      • seal
      • step-down
      • unseal
      • usage
    • path-help
      • Overview
      • deregister
      • info
      • list
      • register
      • reload
      • Overview
      • delete
      • fmt
      • list
      • read
      • write
    • read
      • Overview
      • disable
      • enable
      • list
      • move
      • tune
    • server
    • ssh
    • status
      • Overview
      • capabilities
      • create
      • lookup
      • renew
      • revoke
    • unwrap
    • version
    • version-history
    • write
    • Token Helpers
    • Overview
      • Overview
        • Overview
        • AliCloud
        • AppRole
        • AWS
        • Azure
        • Cert
        • CF
        • GCP
        • JWT
        • Kerberos
        • Kubernetes
        • Overview
        • File
      • Overview
        • Overview
        • Kubernetes
    • Templates
    • Windows service

    • Overview
    • Active Directory
    • AliCloud
    • AWS
    • Azure
    • Consul
    • Cubbyhole
      • Overview
      • Cassandra
      • Couchbase
      • Elasticsearch
      • HanaDB
      • IBM Db2
      • InfluxDB
      • MongoDB
      • MongoDB Atlas
      • MSSQL
      • MySQL/MariaDB
      • Oracle
      • PostgreSQL
      • Redshift
      • Snowflake
      • Custom
    • Google Cloud
    • Google Cloud KMS
      • Overview
      • Azure Key Vault
      • AWS KMS
      • GCP Cloud KMS
    • KMIP ENTERPRISE
      • Overview
      • K/V Version 1
      • K/V Version 2
      • Overview
      • Identity Tokens
      • OIDC Identity Provider
    • MongoDB Atlas
    • Nomad
    • OpenLDAP
    • PKI (Certificates)
    • RabbitMQ
      • Overview
      • Signed Certificates
      • SSH OTP
      • Dynamic Key
    • Terraform Cloud
    • TOTP
      • Overview
      • FF3-1 Tweak Usage
      • Tokenization Transform ENTERPRISE
    • Transit
    • Venafi (Certificates)
    • Overview
    • AppRole
    • AliCloud
    • AWS
    • Azure
    • Cloud Foundry
    • GitHub
    • Google Cloud
      • Overview
      • OIDC Providers
    • Kerberos
    • Kubernetes
    • LDAP
      • Overview
      • FAQ
    • Oracle Cloud Infrastructure
    • Okta
    • RADIUS
    • TLS Certificates
    • Tokens
    • Username & Password

    • App ID DEPRECATED
    • MFA LEGACY / UNSUPPORTED
    • Overview
    • File
    • Syslog
    • Socket
    • Overview
    • Plugin Architecture
    • Plugin Development
    • Plugin Management
    • Plugin Portal
  • Vault Integration Program
  • Troubleshoot

    • Overview
      • Overview
      • Agent Injector vs. Vault CSI Provider
        • Overview
        • Running Vault
        • Enterprise Licensing
        • Running Vault on OpenShift
        • Configuration
          • Overview
          • Development
          • Standalone with Load Balanced UI
          • Standalone with TLS
          • Standalone with Audit Storage
          • External Vault
          • Using Kubernetes Auth Method
          • HA Cluster with Consul
          • HA Cluster with Raft
          • HA Enterprise Cluster with Raft
          • HA Enterprise DR Clusters with Raft
          • HA Enterprise Performance Clusters with Raft
          • Vault Agent Injector TLS Configuration
          • Vault Agent Injector TLS with Cert-Manager
        • Overview
        • Annotations
        • Installation
        • Examples
        • Overview
        • Installation
        • Configurations
        • Examples
      • Overview
      • Vault Lambda Extension
      • Running Vault
      • Overview
      • Installation
      • Configuration
      • Troubleshooting
      • Overview
      • Installation
      • Troubleshooting

    • Overview
    • Upgrade Plugins
    • Upgrade to 1.10.x
    • Upgrade to 1.9.x
    • Upgrade to 1.8.x
    • Upgrade to 1.7.x
    • Upgrade to 1.6.3
    • Upgrade to 1.6.2
    • Upgrade to 1.6.1
    • Upgrade to 1.6.0
    • Upgrade to 1.5.3
    • Upgrade to 1.5.2
    • Upgrade to 1.5.1
    • Upgrade to 1.5.0
    • Upgrade to 1.4.6
    • Upgrade to 1.4.5
    • Upgrade to 1.4.4
    • Upgrade to 1.4.1
    • Upgrade to 1.4.0
    • Upgrade to 1.3.10
    • Upgrade to 1.3.9
    • Upgrade to 1.3.8
    • Upgrade to 1.3.5
    • Upgrade to 1.3.4
    • Upgrade to 1.3.3
    • Upgrade to 1.3.2
    • Upgrade to 1.3.0
    • Upgrade to 1.2.7
    • Upgrade to 1.2.6
    • Upgrade to 1.2.5
    • Upgrade to 1.2.4
    • Upgrade to 1.2.1
    • Upgrade to 1.2.0
    • Upgrade to 1.1.2
    • Upgrade to 1.1.1
    • Upgrade to 1.1.0
    • Upgrade to 1.0.0
    • Upgrade to 0.11.6
    • Upgrade to 0.11.2
    • Upgrade to 0.11.0
    • Upgrade to 0.10.4
    • Upgrade to 0.10.2
    • Upgrade to 0.10.0
    • Upgrade to 0.9.6
    • Upgrade to 0.9.3
    • Upgrade to 0.9.2
    • Upgrade to 0.9.1
    • Upgrade to 0.9.0
    • Upgrade to 0.8.0
    • Upgrade to 0.7.0
    • Upgrade to 0.6.4
    • Upgrade to 0.6.3
    • Upgrade to 0.6.2
    • Upgrade to 0.6.1
    • Upgrade to 0.6.0
    • Upgrade to 0.5.1
    • Upgrade to 0.5.0

    • Overview
    • 1.10.0
    • 1.9.0
    • 1.8.0
    • 1.7.0
    • 1.6.0
    • 1.5.0

    • Overview
    • FAQ

    • Overview
    • Feature Deprecation Notice and Plans
    • License
    • Client Count
    • Login MFA
    • Server Side Consistent Token

  • Glossary

    • Overview
      • Overview
      • Autoloading
      • FAQ
    • Replication
      • Overview
      • Behavioral Changes
      • Security
    • Automated Integrated Storage Snapshots
    • Lease Count Quotas
    • Entropy Augmentation
    • Seal Wrap / FIPS 140-2
    • Namespaces
    • Performance Standbys
    • Eventual Consistency
    • Control Groups
    • Managed Keys
      • Overview
      • Duo MFA
      • Okta MFA
      • PingID MFA
      • TOTP MFA
      • Overview
      • Examples
      • Properties
    • HCP Vault
Type '/' to Search

»Login MFA FAQ

This FAQ section contains frequently asked questions about the Login MFA feature.

  • Q: What MFA features can I access if I upgrade to Vault version 1.10?
  • Q: What are the various MFA workflows that are available to me as a Vault user as of Vault version 1.10, and how are they different?
  • Q: What is the Legacy MFA feature?
  • Q: Will HCP Vault support MFA?
  • Q: What is Single-Phase MFA vs. Two-Phase MFA?
  • Q: Are there new MFA API endpoints introduced as part of the new Vault version 1.10 MFA for login functionality?
  • Q: How do MFA configurations differ between the Login MFA and Step-up Enterprise MFA?
  • Q: What are the ways to configure the various MFA workflows?
  • Q: What MFA mechanism is used with the different MFA workflows in Vault version 1.10?
  • Q: Are namespaces supported with the MFA workflows that Vault has as of Vault version 1.10?
  • Q: I use the Vault Agent. Does MFA pose any challenges for me?
  • Q: I am a Step-up Enterprise MFA user using MFA for login. Should I migrate to the new Login MFA?
  • Q: I am a Step-up Enterprise MFA user using MFA for login. What are the steps to migrate to Login MFA?

»Q: What MFA features can I access if I upgrade to Vault version 1.10?

Vault supports Step-up Enterprise MFA as part of our Enterprise edition. The Step-up Enterprise MFA provides MFA on login, or for step-up access to sensitive resources in Vault using ACL and Sentinel policies, and is configurable through the CLI/API.

Starting with Vault version 1.10, Vault OSS provides MFA on login only. This is also available with Vault Enterprise and configurable through the CLI/API.

The Step-up Enterprise MFA will co-exist with the newly introduced Login MFA starting with Vault version 1.10.

»Q: What are the various MFA workflows that are available to me as a Vault user as of Vault version 1.10, and how are they different?

MFA workflowWhat does it do?Who manages the MFA?OSS vs. Enterprise Support
Login MFAMFA in Vault OSS provides MFA on login. CLI, API, and UI-based login are supported.MFA is managed by VaultSupported in Vault OSS
Okta Auth MFAThis is MFA as part of Okta Auth method in Vault OSS, where MFA is enforced by Okta on login. MFA must be satisfied for authentication to be successful. This is different from the Okta MFA method used with Login MFA and Step-up Enterprise MFA. CLI/API login are supported.MFA is managed externally by OktaSupported in Vault OSS
Step-up Enterprise MFAMFA in Vault Enterprise provides MFA for login and for step-up access to sensitive resources in Vault. Supports CLI/API based login, and ACL/Sentinel policies.MFA is managed by VaultSupported in Vault Enterprise

Note: The Legacy MFA is a deprecated MFA workflow in Vault OSS. Refer here for more details.

»Q: What is the Legacy MFA feature?

Legacy MFA is functionality that was available in Vault OSS, prior to introducing MFA in the Enterprise version. This is now a deprecated feature. Please see the Vault Feature Deprecation Notice and Plans for detailed product plans around deprecated features. We plan to remove Legacy MFA in 1.11.

»Q: Will HCP Vault support MFA?

Yes, HCP Vault will support MFA across all tiers and offering as part of the April 2022 release.

»Q: What is Single-Phase MFA vs. Two-Phase MFA?

  • Single-Phase MFA: This is a single request mechanism where the required MFA information, such as MFA method ID, is provided via the X-Vault-MFA header in a single MFA request that is used to authenticate into Vault.

Note: If the configured MFA methods need a passcode, it needs to be provided in the request, such as in the case of TOTP or Duo. If the configured MFA methods, such as PingID, Okta, or Duo, do not require a passcode and have out of band mechanisms for verifying the extra factor, Vault will send an inquiry to the other service's APIs to determine whether the MFA request has yet been verified.

  • Two-Phase MFA: This is a two-request MFA method that is more conventionally used.
    • The MFA passcode required for the configured MFA method is not provided in a header of the login request that is MFA-restricted. Instead, the user first authenticates to the auth method, and on successful authentication to the auth method, an MFA requirement is returned to the user. The MFA requirement contains the MFA RequestID and constraints applicable to the MFA as configured by the operator.
    • The user then must make a second request to the new endpoint sys/mfa/validate, providing the MFA RequestID in the request, and an MFA payload which includes the MFA methodIDs passcode (if applicable). If MFA validation passes, the new Vault token will be persisted and returned to the user in the response, just like a regular Vault token created using a non-MFA-restricted auth method.

»Q: Are there new MFA API endpoints introduced as part of the new Vault version 1.10 MFA for login functionality?

Yes, this feature adds the following new MFA configuration endpoints: identity/mfa/method, identity/mfa/login-enforcement, and sys/mfa/validate. Refer to the documentation for more details.

»Q: How do MFA configurations differ between the Login MFA and Step-up Enterprise MFA?

All MFA methods supported with the Step-up Enterprise MFA are supported with the Login MFA, but they use different API endpoints:

  • Step-up Enterprise MFA: sys/mfa/method/:type/:/name
  • Login MFA: identity/mfa/method/:type

There are also two differences in how methods are defined in the two systems. The Step-up Enterprise MFA expects the method creator to specify a name for the method; Login MFA does not, and instead returns an ID when a method is created. The Step-up Enterprise MFA uses the combination of mount accessors plus a username_format template string, whereas in Login MFA, these are combined into a single field username_format, which uses the same identity templating format as used in policies.

»Q: What are the ways to configure the various MFA workflows?

MFA workflowConfiguration methodsDetails
Login MFACLI/API. The UI does not support the configuration of Login MFA as of Vault version 1.10.Configured using the identity/mfa/method endpoints, then passing those method IDs to the identity/mfa/login-enforcement endpoint. MFA methods supported: TOTP, Okta, Duo, PingID.
Okta Auth MFACLI/APIMFA methods supported: TOTP , Okta Verify Push. Note that Vault does not support Okta Verify Push with Number Challenge at this time.
Step-up Enterprise MFACLI/APIConfigured using the sys/mfa/method endpoints and by referencing those methods in policies. MFA Methods supported: TOTP, Okta, Duo, PingID

»Q: Which MFA mechanism is used with the different MFA workflows in Vault version 1.10?

MFA workflowUICLI/APISingle-PhaseTwo-Phase
Login MFASupportedSupported. You can select single-phase MFA by supplying the X-Vault-MFA header. In the absence of this header, the Two- Phase MFA is usedN/ASupported
Okta Auth MFAN/AN/AMFA is not managed by VaultMFA is not managed by Vault
Step-up Enterprise MFAN/ASupportedSupportedN/A

»Q: Are namespaces supported with the MFA workflows that Vault has as of Vault version 1.10?

The Step-up Enterprise MFA configurations can only be configured in the root namespace, although they can be referenced in other namespaces via the policies. The Login MFA supports namespaces awareness. Users will need a Vault Enterprise license to user or configure Login MFA with namespaces. MFA method configurations can be defined per namespace with Login MFA, and used in enforcements defined in that namespace and its children. Everything operates in the root namespace in Vault OSS. MFA login enforcements can also be defined per namespace, and applied to that namespace and its children.

»Q: I use the Vault Agent. Does MFA pose any challenges for me?

The Vault Agent should not use MFA to authenticate to Vault; it should be able to relay requests with MFA-related headers to Vault successfully.

»Q: I am a Step-up Enterprise MFA user using MFA for login. Should I migrate to the new Login MFA?

If you are currently using Enterprise MFA, evaluate your MFA specific use cases to determine whether or not you should migrate to Login MFA.

Here are some considerations:

  • If you use the Step-up Enterprise MFA for login (with Sentinel EGP), you may find value in the simpler Login MFA workflow. We recommend that you to test this out to evaluate if this meets all your requirements.
  • If you use the Step-up Enterprise MFA for more than login, please be aware that the new MFA workflow only supports the login use case. You will still need to use the Step-up Enterprise MFA for non-login use cases.

»Q: I am a Step-up Enterprise MFA user using MFA for login. What are the steps to migrate to Login MFA?

Refer to the question Q: I am a Step-up Enterprise MFA user using MFA for login. Should I migrate to the new Login MFA? to evaluate whether or not you should migrate.

If you wish to migrate to Login MFA, follow these steps and guidelines to migrate successfully.

  1. First, create new MFA methods using the identity/mfa/method endpoints. These should mostly use the same fields as the MFA methods you defined using the sys/mfa method while keeping the following in mind:

    -the new endpoints yield an ID instead of allowing you to define a name

    -the new non-TOTP endpoints have a username_format field instead of username_format+mount_accessor fields; see Templated Policies for the username_format format.

  2. Instead of writing sentinel EGP rules to require that logins use MFA, use the identity/mfa/login_enforcement endpoint to specify the MFA methods.

github logoEdit this page
DocsAPILearnCommunityPrivacySecurityPress KitConsent Manager