Multi-Factor Authentication
On this page
Overview
SingleStore provides a variety of authentication methods including username/password, JWT, SAML, and OIDC.
While customers using single sign-on (SSO) with external authentication tools can enable MFA on their identity providers, SingleStore offers a default MFA solution, through a combination of either the FreeOTP or the Google Authenticator app and Keycloak, which is managed entirely by SingleStore.
MFA is enabled on a per-user basis.
Enable Multi-Factor Authentication
Note
Enabling MFA is a per-user action.
Once configured, MFA is then handled by your identity provider, and the ability for a user in the organization to manually configure MFA is disabled.
-
Sign in to the SingleStore Helios and select <your_
account> → User Settings → Manage Account. -
Under Two-factor authentication, select Set up authenticator application.
-
If prompted, sign back into SingleStore Helios.
-
Follow the instructions on the MFA Setup page to configure your authenticator app.
After your authenticator app has been configured, your device will be listed in the Two-factor authentication section.
-
Sign out of the SingleStore Helios.
-
Sign back into the SingleStore Helios.
When signing back in, a Multi-factor Authentication page is displayed and you are prompted to enter a one-time code from your authenticator app.
SingleStore Helios Multi-factor Authentication
SingleStore Helios MFA is enforced for all users except a predefined set of exemptions.
MFA Exemptions
The following users are exempt from MFA:
-
Users logging in via Single Sign-On (SSO).
-
Users who already have MFA enabled in Keycloak.
Changing Your MFA Method
-
Sign in to the Cloud Portal and complete the current (default email) MFA verification process.
-
Navigate to <your_
account> → User Settings → Multi-Factor Authentication. -
By default, email authentication will be displayed as the active method.
-
To switch to Authenticator App (TOTP):
-
Select Use this method under Authenticator App (TOTP).
-
Follow the on-screen instructions to configure TOTP as your new MFA method.
-
Note: To switch back from TOTP to email, follow the same process.
Reconfiguring TOTP
If your MFA method is set to TOTP, you can reconfigure it at any time by going to <your_
If you cannot access your TOTP device, for example: you have lost your mobile, you can choose to verify using Email MFA for that session.
Remember My Device
On log in, you have the option to remember your device for MFA.
If you select this option, you can choose from a predefined set of durations visible on the MFA screen.
Enforcing SingleStore Helios MFA for SSO Users
By default, SSO users are exempt from SingleStore Helios MFA.
-
Go to <your_
account> → Organization Details → Authentication. -
Select your Identity Provider (IdP).
-
Click Update Connection.
-
Enable the Enforce MFA toggle.
-
Click Save.
Last modified: August 19, 2025