LogoLogo
Main SiteStart Now
  • Home
    • What Is BastionZero?
      • Server Access
      • Database Access
      • Kubernetes Access
      • Web Server Access
    • Product Security
    • Architecture
    • Taxonomy
  • Deployment
    • Getting Started
    • Installing the ZLI
    • Installing the Agent
    • Installing the Desktop App
  • Automation & Integrations
    • CircleCI
    • GitHub Actions
    • Go SDK
    • Google Cloud Run
    • Slack
      • Using the BastionZero app for Slack
    • Terraform
    • Third-Party Clients
  • Admin Guide
    • Authentication
      • SSO Management
      • User Management
      • MFA Management
      • Service Accounts Management
    • Authorization
    • Auditing
    • Target and Connection Management
  • How To Guides
    • Passwordless Database Access
      • Passwordless Access to MySQL and Postgres on GCP Cloud SQL
      • Passwordless Access to AWS RDS PostgreSQL
      • Passwordless Access to AWS RDS MySQL
      • Passwordless Access to Self-Hosted Postgres
    • How to use BastionZero to connect to a Linux Host using the ZLI
    • How to use BastionZero to manage SSH Keys
  • User Guide
    • Installing the ZLI
    • ZLI Cheat Sheet
    • Connecting to Your Targets
    • Troubleshooting Guide
  • ZLI Reference Manual
  • API Specification
  • Getting Help
  • Security Policy
  • Open Source Software Credits
    • Backend Services
    • Bzero Agent
    • Client Daemon
    • Desktop App
    • Go SDK
    • Helm Provider
    • Terraform Provider
    • Web App
    • ZLI
  • Product Changes
  • Service Status
  • GitHub
Powered by GitBook

Copyright © 2024

On this page
  1. Admin Guide
  2. Authentication

MFA Management

PreviousUser ManagementNextService Accounts Management

Last updated 6 months ago

The BastionZero product is maintained for existing BastionZero customers only.

Moving forward, we are natively rebuilding BastionZero’s technology as Cloudflare’s service.

BastionZero uses two roots of trust to authenticate users in your organization. The first is your SSO provider. The second is an independent BastionZero MFA.

All new BastionZero organizations are created with BastionZero MFA enabled by default. BastionZero MFA is organization-wide and cannot be disabled for the entire organization. However, administrators within that organization are able to enable/disable an individual user's MFA. Please note that in order to do this, the user must first log in. Only after the account has been established can an administrator disable, re-enable, or reset the individual MFA.

To verify that organization-wide MFA is enabled, access the Security Settings page by choosing the gear icon in the top right corner of the web app. Navigate to "System Controls" underneath "Security."

Thus all BastionZero clients must submit the BastionZero factor before the authenticated SSO user is granted access to the BastionZero service.

This creates a true MFA authentication system where your user's credentials is one factor, BastionZero's is a second, and assuming you have your SSO factor enabled (which we do as a security best practice) is a third.

Configure your organization's MFA duration

For organizations with global MFA enabled, administrators can specify how frequently users need to provide MFA to BastionZero. The duration can be as short as 1 hour and as much as 1 week (168 hours). Changes take effect immediately and are enforced at the user's next MFA refresh. Admins can modify the MFA duration in the security settings in the web app or .

via API
Access for Infrastructure
To verify that your organization-wide MFA is enabled, navigate to Security by using the gear in the top right corner of the web app.
The above image displays an organization that has set their MFA duration to 55 hours, meaning that every 55 hours a user will need to resupply MFA to BastionZero.