# MFA Management

{% hint style="danger" %}

### <mark style="color:red;">**The BastionZero product is maintained for existing BastionZero customers only.**</mark>&#x20;

Moving forward, we are natively rebuilding BastionZero’s technology as Cloudflare’s [Access for Infrastructure](https://developers.cloudflare.com/cloudflare-one/applications/non-http/infrastructure-apps/) service.
{% endhint %}

BastionZero uses two roots of trust to authenticate users in your organization. The first is your SSO provider. The second is an independent BastionZero MFA.

All new BastionZero organizations are created with BastionZero MFA enabled by default. BastionZero MFA is organization-wide and cannot be disabled for the entire organization. However, administrators within that organization are able to enable/disable an individual user's MFA. Please note that in order to do this, the user must first log in. Only after the account has been established can an administrator disable, re-enable, or reset the individual MFA.

To verify that organization-wide MFA is enabled, access the Security Settings page by choosing the gear icon in the top right corner of the web app. Navigate to "System Controls" underneath "Security."&#x20;

<figure><img src="https://2296692744-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FB1x0ofz14evTHlwIRKaW%2Fuploads%2F1fMZiMysxVXbsdTVzano%2Fenabled%20global%20mfa.png?alt=media&#x26;token=cc55c3a9-9124-4b80-80e8-6f9a24c8cfdf" alt=""><figcaption><p>To verify that your organization-wide MFA is enabled, navigate to Security by using the gear in the top right corner of the web app.</p></figcaption></figure>

Thus all BastionZero clients must submit the BastionZero factor before the authenticated SSO user is granted access to the BastionZero service.

This creates a true MFA authentication system where your user's credentials is one factor, BastionZero's is a second, and assuming you have your SSO factor enabled (which we do as a security best practice) is a third.

## Configure your organization's MFA duration

For organizations with global MFA enabled, administrators can specify how frequently users need to provide MFA to BastionZero. The duration can be as short as 1 hour and as much as 1 week (168 hours). Changes take effect immediately and are enforced at the user's next MFA refresh. Admins can modify the MFA duration in the security settings in the web app or [via API](https://cloud-staging.bastionzero.com/api/#patch-/api/v2/policies/organization-controls/-id-).&#x20;

<figure><img src="https://2296692744-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FB1x0ofz14evTHlwIRKaW%2Fuploads%2FRY18MDUSZUpH5waeweGu%2FScreenshot%202023-10-17%20at%203.55.54%20PM.png?alt=media&#x26;token=7c65d507-efa2-4221-bd70-73745c5c3097" alt=""><figcaption><p>The above image displays an organization that has set their MFA duration to 55 hours, meaning that every 55 hours a user will need to resupply MFA to BastionZero.</p></figcaption></figure>


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.bastionzero.com/docs/admin-guide/authentication/mfa-management.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.