What is MFA?
MFA, or multi-factor authentication, adds a second proof of identity on top of your password or SSO login. VaultPAM uses MFA both at sign-in and, when policy requires it, as a step-up check before you open a sensitive session or perform an administrative action.
Login MFA
At login, VaultPAM can ask for:
- A TOTP code from an authenticator app enrolled to your user account. If you belong to more than one organization, the same enrolled app can be used for step-up there too.
- A WebAuthn security key or platform authenticator.
- A backup code if your primary method is unavailable.
Step-up MFA
Some Safe policies require a second check even after the user is already signed in. That step-up might appear when a session is launched or when an admin action carries extra risk.
Enrollment
Users enroll MFA through the setup flow linked from the how-to guide. Admins can require MFA at the organization or Safe level, but the enrollment experience is still user-facing.
Why it matters
MFA reduces the chance that a stolen password becomes a session compromise. It is especially important when the Safe policy allows clipboard access or targets a production system.