SearchMFA (Multi-Factor Authentication) requires a time-based one-time password (TOTP) in addition to username and password when logging in. MFA only applies to local authentication. Users authenticating via an external Identity Provider (IDP) are not affected.
Users can enable and disable MFA on their own account. When enabling, a QR code is returned that can be scanned with any standard TOTP authenticator app. A valid TOTP code must be provided to complete setup. If MFA is already enabled, the current TOTP code is required to re-enroll, for example when switching to a new device.
Disabling MFA also requires a valid TOTP code.
System admins can require MFA for all local users in an organization. When enforcement is active, any user without MFA configured is prompted to set it up on login before accessing that organization.
The requireMFA field on the organization reflects the current enforcement state.
System admins can disable MFA for another account without a TOTP code, for example when a user has lost access to their authenticator.
If a system admin account itself is locked out due to a lost authenticator, MFA can be reset
directly via brainz using the --reset-mfa flag together with the account username. This bypasses
the API entirely and clears the MFA state directly in the database.
When an account has MFA enabled, login requires a TOTP code in addition to the password.