Multi-Factor Authentication (MFA)

このページは日本語には対応しておりません。随時翻訳に取り組んでいます。翻訳に関してご質問やご意見ございましたら、お気軽にご連絡ください。

Overview

Multi-Factor Authentication (MFA), or Two-Factor Authentication (2FA) requires a user to present more than one type of verification to authenticate to a system. MFA defends against the majority of password-related attacks, including brute-force, credential stuffing, and password spraying.

Capabilities

  • MFA for native Datadog accounts: MFA is available as an extra layer of security during login for accounts that log into Datadog directly using an email and password. Native email/password accounts are more vulnerable to attack than accounts maintained through an identity provider.
  • Opt-in MFA: MFA is available for end users as an optional feature. Enable MFA at any time through your personal settings.
  • Authenticator apps: Any authenticator app that supports time-based one-time password (TOTP) authentication can be used for MFA. Examples include Microsoft Authenticator, Google Authenticator, Authy, and Duo.

Limitations

  • MFA is not available for accounts using Single Sign-On (SSO) only. To use MFA with SAML and Google Auth, configure it through your Identity Provider (IdP).
  • MFA does not protect against all types of attacks. For example, if an attacker has access to your email, they may be able to turn off MFA and compromise your account.
  • MFA supports at most one authenticator app.

Prerequisites

To configure MFA for your account, log in using your email and password. Users who log in using SSO do not see MFA configuration options.

Configure MFA for your user account

To find the Password & Authentication page:

  1. Ensure you are logged in with a username and password combination, not through SSO.
  2. Navigate to Personal Settings from your account menu.
  3. Under Security, select Password & Authentication.

The multi-factor authentication section lists any configured authenticator apps.

  1. Next to Authenticator App, select Add.
  2. Follow your authenticator app’s documentation for instructions on adding a new QR code.
  3. Enter the latest code generated by your authenticator app into the prompt to confirm the device was set up correctly.
  4. Save a copy of the recovery codes in a secure location. The codes cannot be retrieved after setup is complete.

View a user’s MFA status

To view if a user has MFA configured or not, you can filter on the Users table. The MFA status is also available on the user details panel.

View of the MFA status on the user detail page, example shows the user has MFA configured

MFA recovery

If you don’t have access to your authenticator app, during the login process you can use a recovery code instead of a one-time password. Each of the recovery codes can only be used once.

  1. Navigate to the login page.
  2. Enter your email address and password, then select Log in.
  3. Select Don’t have access to your authenticator?
  4. Enter one of your unused recovery codes and click Verify.

MFA rescue

If you don’t have access to your authenticator app or recovery codes, during the login process you can request a one-time recovery link via email.

  1. Navigate to the login page.
  2. Enter your email address and password, then select Log in.
  3. Select Don’t have access to your authenticator?
  4. Select Don’t have access to your recovery codes? Get a one time recovery link via email.
  5. Check your email inbox for a message with the subject line “Recovery link for logging into your Datadog account.”
  6. Select the Log in to Datadog link to finish logging into your account.

If you have lost access to your registered authenticator app, Datadog recommends that you remove the lost device and add a new one. Maintaining a valid authenticator app helps prevent issues logging into your account in the future.