Sign inTry Free

Multi-Factor Authentication

On this page

Overview

SingleStore provides a variety of authentication methods including username/password, JWT, SAML, and OIDC. SingleStore also supports multi-factor authentication (MFA) which enhances login security when connecting to SingleStore Helios. The MFA solution is available only to non-SSO users and SSO users who are exempt from the SSO requirement when logging in through the IDP.

While customers using single sign-on (SSO) with external authentication tools can enable MFA on their identity providers, SingleStore offers a default MFA solution, through a combination of either the FreeOTP or the Google Authenticator app, which is managed entirely by SingleStore.

MFA is enabled on a per-user basis. Users can simply install either the FreeOTP or the Google Authenticator app on their mobile device (iOS, Android, Windows, etc.) and configure it for use with the SingleStore

SingleStore Helios Multi-factor Authentication

SingleStore Helios MFA is enforced for all users except a predefined set of exemptions. For MFA, email is set as the default authentication method.

MFA Exemptions

The following users are exempt from MFA:

  • Users logging in via Single Sign-On (SSO).

  • Users who already have MFA enabled in Keycloak.

Keycloak MFA

Keycloak-based MFA is being deprecated and will be removed in the near future. Existing users configured with Keycloak MFA should migrate to Helios-native MFA as described below to avoid any authentication disruption.

When you remove the two factor authenticator configuration from your Keycloak account console by navigating to User settings Manage Account and select Remove Two factor Authentication, MFA will automatically switch to Helios MFA.

Changing Your MFA Method

  1. Sign in to the Cloud Portal and complete the current (default email) MFA verification process.

  2. Navigate to <your_account> → User SettingsMulti-Factor Authentication.

  3. By default, email authentication will be displayed as the active method.

  4. To switch to Authenticator App (TOTP):

    • Select Use this method under Authenticator App (TOTP).

    • Follow the on-screen instructions to configure TOTP as your new MFA method.

Note: To switch back from TOTP to email, follow the same process. However, SingleStore strongly recommends using TOTP for enhanced security.

Reconfiguring TOTP

If your MFA method is set to TOTP, you can reconfigure it at any time by going to <your_account> → User SettingsMulti-Factor Authentication and select the Reconfigure option.

If you cannot access your TOTP device, for example: you have lost your mobile, you can choose to verify using Email MFA for that session. This option is available on the MFA screen when the method is set to TOTP.

Remember My Device

On log in, you have the option to remember your device for MFA.

If you select this option, you can choose from a predefined set of durations visible on the MFA screen. During the selected period, you will not be prompted for MFA when logging in from that device.

Enforcing SingleStore Helios MFA for SSO Users

By default, SSO users are exempt from SingleStore Helios MFA. However, if you want to include SingleStore Helios MFA in addition to your identity provider’s MFA then execute the following steps:

  1. Go to <your_account> → Organization DetailsAuthentication.

  2. Select your Identity Provider (IdP).

  3. Click Update Connection.

  4. Enable the Enforce MFA toggle.

  5. Click Save.

Last modified: February 13, 2026

Was this article helpful?

On this page

Was this article helpful?

Verification instructions

Note: You must install cosign to verify the authenticity of the SingleStore file.

Use the following steps to verify the authenticity of singlestoredb-server, singlestoredb-toolbox, singlestoredb-studio, and singlestore-client SingleStore files that have been downloaded.

You may perform the following steps on any computer that can run cosign, such as the main deployment host of the cluster.

  1. (Optional) Run the following command to view the associated signature files.

    curl undefined

  2. Download the signature file from the SingleStore release server.

    • Option 1: Click the Download Signature button next to the SingleStore file.

    • Option 2: Copy and paste the following URL into the address bar of your browser and save the signature file.

    • Option 3: Run the following command to download the signature file.

      curl -O undefined

  3. After the signature file has been downloaded, run the following command to verify the authenticity of the SingleStore file.

    echo -n undefined |
        cosign verify-blob --certificate-oidc-issuer https://oidc.eks.us-east-1.amazonaws.com/id/CCDCDBA1379A5596AB5B2E46DCA385BC \
          --certificate-identity https://kubernetes.io/namespaces/freya-production/serviceaccounts/job-worker \
          --bundle undefined \
          --new-bundle-format -
    Verified OK

Try Out This Notebook to See What’s Possible in SingleStore

Get access to other groundbreaking datasets and engage with our community for expert advice.

Sign UpLog In