Multi-Factor Authentication

Overview

SingleStore provides a variety of authentication methods including username/password, JWT, SAML, and OIDC. SingleStore also supports multi-factor authentication (MFA) which enhances login security when connecting to SingleStore Helios. The MFA solution is available only to non-SSO users and SSO users who are exempt from the SSO requirement when logging in through the IDP.

While customers using single sign-on (SSO) with external authentication tools can enable MFA on their identity providers, SingleStore offers a default MFA solution, through a combination of either the FreeOTP or the Google Authenticator app and Keycloak, which is managed entirely by SingleStore.

MFA is enabled on a per-user basis. Users can simply install either the FreeOTP or the Google Authenticator app on their mobile device (iOS, Android, Windows, etc.) and configure it for use with the SingleStore

Enable Multi-Factor Authentication

Note

Enabling MFA is a per-user action. If MFA is required across an organization, SingleStorerecommends enabling SSO with an identity provider that requires MFA.

Once configured, MFA is then handled by your identity provider, and the ability for a user in the organization to manually configure MFA is disabled.

  1. Sign in to the SingleStore Helios and select <your_account> → User SettingsManage Account.

  2. Under Two-factor authentication, select Set up authenticator application.

  3. If prompted, sign back into SingleStore Helios.

  4. Follow the instructions on the MFA Setup page to configure your authenticator app.

After your authenticator app has been configured, your device will be listed in the Two-factor authentication section. To test this configuration:

  1. Sign out of the SingleStore Helios.

  2. Sign back into the SingleStore Helios. When signing back in, a Multi-factor Authentication page is displayed and you are prompted to enter a one-time code from your authenticator app.

SingleStore Helios Multi-factor Authentication

SingleStore Helios MFA is enforced for all users except a predefined set of exemptions. For MFA, email is set as the default authentication method.

MFA Exemptions

The following users are exempt from MFA:

  • Users logging in via Single Sign-On (SSO).

  • Users who already have MFA enabled in Keycloak.

Changing Your MFA Method

  1. Sign in to the Cloud Portal and complete the current (default email) MFA verification process.

  2. Navigate to <your_account> → User SettingsMulti-Factor Authentication.

  3. By default, email authentication will be displayed as the active method.

  4. To switch to Authenticator App (TOTP):

    • Select Use this method under Authenticator App (TOTP).

    • Follow the on-screen instructions to configure TOTP as your new MFA method.

Note: To switch back from TOTP to email, follow the same process. However, SingleStore strongly recommends using TOTP for enhanced security.

Reconfiguring TOTP

If your MFA method is set to TOTP, you can reconfigure it at any time by going to <your_account> → User SettingsMulti-Factor Authentication and select the Reconfigure option.

If you cannot access your TOTP device, for example: you have lost your mobile, you can choose to verify using Email MFA for that session. This option is available on the MFA screen when the method is set to TOTP.

Remember My Device

On log in, you have the option to remember your device for MFA.

If you select this option, you can choose from a predefined set of durations visible on the MFA screen. During the selected period, you will not be prompted for MFA when logging in from that device.

Enforcing SingleStore Helios MFA for SSO Users

By default, SSO users are exempt from SingleStore Helios MFA. However, if you want to include SingleStore Helios MFA in addition to your identity provider’s MFA then execute the following steps:

  1. Go to <your_account> → Organization DetailsAuthentication.

  2. Select your Identity Provider (IdP).

  3. Click Update Connection.

  4. Enable the Enforce MFA toggle.

  5. Click Save.

Last modified: August 19, 2025

Was this article helpful?

Verification instructions

Note: You must install cosign to verify the authenticity of the SingleStore file.

Use the following steps to verify the authenticity of singlestoredb-server, singlestoredb-toolbox, singlestoredb-studio, and singlestore-client SingleStore files that have been downloaded.

You may perform the following steps on any computer that can run cosign, such as the main deployment host of the cluster.

  1. (Optional) Run the following command to view the associated signature files.

    curl undefined
  2. Download the signature file from the SingleStore release server.

    • Option 1: Click the Download Signature button next to the SingleStore file.

    • Option 2: Copy and paste the following URL into the address bar of your browser and save the signature file.

    • Option 3: Run the following command to download the signature file.

      curl -O undefined
  3. After the signature file has been downloaded, run the following command to verify the authenticity of the SingleStore file.

    echo -n undefined |
    cosign verify-blob --certificate-oidc-issuer https://oidc.eks.us-east-1.amazonaws.com/id/CCDCDBA1379A5596AB5B2E46DCA385BC \
    --certificate-identity https://kubernetes.io/namespaces/freya-production/serviceaccounts/job-worker \
    --bundle undefined \
    --new-bundle-format -
    Verified OK