Sign inTry Free

Multi-Factor Authentication

On this page

Overview

SingleStore provides a variety of authentication methods including username/password, JWT, SAML, and OIDC. SingleStore also supports multi-factor authentication (MFA) which enhances login security when connecting to SingleStore Helios. The MFA solution is available only to non-SSO users and SSO users who are exempt from the SSO requirement when logging in through the IDP.

While customers using single sign-on (SSO) with external authentication tools can enable MFA on their identity providers, SingleStore offers a default MFA solution, through a combination of either the FreeOTP or the Google Authenticator app and Keycloak, which is managed entirely by SingleStore.

MFA is enabled on a per-user basis. Users can simply install either the FreeOTP or the Google Authenticator app on their mobile device (iOS, Android, Windows, etc.) and configure it for use with the Cloud Portal.

Enable Multi-Factor Authentication

Note

Enabling MFA is a per-user action. If MFA is required across an organization, SingleStore recommends enabling SSO with an identity provider that requires MFA.

Once configured, MFA is then handled by your identity provider, and the ability for a user in the organization to manually configure MFA is disabled.

  1. Sign in to the Cloud Portal and select <your_account> > User Settings > Manage Account.

  2. Under Two-factor authentication, select Set up authenticator application.

  3. If prompted, sign back into SingleStore Helios.

  4. Follow the instructions on the MFA Setup page to configure your authenticator app.

After your authenticator app has been configured, your device will be listed in the Two-factor authentication section. To test this configuration:

  1. Sign out of the Cloud Portal.

  2. Sign back into the Cloud Portal.

    When signing back in, a Multi-factor Authentication page is displayed and you are prompted to enter a one-time code from your authenticator app.

Last modified: April 23, 2025

Was this article helpful?

On this page

Was this article helpful?

Verification instructions

Note: You must install cosign to verify the authenticity of the SingleStore file.

Use the following steps to verify the authenticity of singlestoredb-server, singlestoredb-toolbox, singlestoredb-studio, and singlestore-client SingleStore files that have been downloaded.

You may perform the following steps on any computer that can run cosign, such as the main deployment host of the cluster.

  1. (Optional) Run the following command to view the associated signature files.

    curl undefined

  2. Download the signature file from the SingleStore release server.

    • Option 1: Click the Download Signature button next to the SingleStore file.

    • Option 2: Copy and paste the following URL into the address bar of your browser and save the signature file.

    • Option 3: Run the following command to download the signature file.

      curl -O undefined

  3. After the signature file has been downloaded, run the following command to verify the authenticity of the SingleStore file.

    echo -n undefined |
        cosign verify-blob --certificate-oidc-issuer https://oidc.eks.us-east-1.amazonaws.com/id/CCDCDBA1379A5596AB5B2E46DCA385BC \
          --certificate-identity https://kubernetes.io/namespaces/freya-production/serviceaccounts/job-worker \
          --bundle undefined \
          --new-bundle-format -
    Verified OK