# Multi-Factor Authentication ## Overview SingleStore provides a variety of authentication methods including username/password, [JWT](https://docs.singlestore.com/cloud/security/database-access/authenticate-via-jwt.md), [SAML](https://docs.singlestore.com/cloud/security/portal-access/saml.md), and [OIDC](https://docs.singlestore.com/cloud/security/portal-access/oidc.md). SingleStore also supports multi-factor authentication (MFA) which enhances login security when connecting to SingleStore Helios. The MFA solution is available only to non-SSO users and SSO users who are exempt from the SSO requirement when logging in through the IDP. While customers using single sign-on (SSO) with external authentication tools can enable MFA on their identity providers, SingleStore offers a default MFA solution, through a combination of either the FreeOTP or the Google Authenticator app, which is managed entirely by SingleStore. MFA is enabled on a per-user basis. Users can simply install either the FreeOTP or the Google Authenticator app on their mobile device (iOS, Android, Windows, etc.) and configure it for use with the SingleStore ## SingleStore Helios Multi-factor Authentication SingleStore Helios MFA is enforced for all users except a predefined set of exemptions. For MFA, email is set as the default authentication method. ## MFA Exemptions The following users are exempt from MFA: * Users logging in via Single Sign-On (SSO). * Users who already have MFA enabled in Keycloak. ## Keycloak MFA Keycloak-based MFA is being deprecated and will be removed in the near future. Existing users configured with Keycloak MFA should migrate to Helios-native MFA as described below to avoid any authentication disruption. When you remove the two factor authenticator configuration from your Keycloak account console by navigating to **User settings **→ **Manage Account **and select **Remove Two factor Authentication**, MFA will automatically switch to Helios MFA. ## Changing Your MFA Method 1. Sign in to the Cloud Portal and complete the current (default email) MFA verification process. 2. Navigate to <**your\_account**> → **User Settings** → **Multi-Factor Authentication**. 3. By default, **email authentication** will be displayed as the active method. 4. To switch to **Authenticator App** (TOTP): * Select **Use this method** under **Authenticator App** (TOTP). * Follow the on-screen instructions to configure TOTP as your new MFA method. **Note:** To switch back from TOTP to email, follow the same process. However, SingleStore strongly recommends using TOTP for enhanced security. ## Reconfiguring TOTP If your MFA method is set to TOTP, you can reconfigure it at any time by going to <**your\_account**> → **User Settings** → **Multi-Factor Authentication** and select the **Reconfigure** option. If you cannot access your TOTP device, for example: you have lost your mobile, you can complete MFA by choosing to verify using email for that particular session. (There is an option displayed on the MFA screen when the you use TOTP MFA). If you are unable to access neither email nor the TOTP device, then you have to raise a request with the Support team citing the reason and requesting MFA exemption for the affected user(s). After MFA exemption and subsequent successful login, you have to go to the **User Settings** page and either reconfigure TOTP on your device or configure **Email** MFA for future logins. ## Remember My Device On log in, you have the option to **remember your device** for MFA. If you select this option, you can choose from a predefined set of durations visible on the MFA screen. During the selected period, you will not be prompted for MFA when logging in from that device. ## Enforcing SingleStore Helios MFA for SSO Users By default, SSO users are exempt from SingleStore Helios MFA. However, if you want to include SingleStore Helios MFA in addition to your identity provider’s MFA then execute the following steps: 1. Go to <**your\_account**> → **Organization Details** → **Authentication**. 2. Select your **Identity Provider** (IdP). 3. Click **Update Connection**. 4. Enable the **Enforce MFA** toggle. 5. Click **Save**. *** Modified at: May 6, 2026 Source: [/cloud/security/portal-access/multi-factor-authentication/](https://docs.singlestore.com/cloud/security/portal-access/multi-factor-authentication/) (An index of the documentation is available at /llms.txt)