[Yandex Cloud documentation](../../index.md) > [Yandex Identity Hub](../index.md) > Concepts > MFA

# Multi-factor authentication in Yandex Identity Hub

In Yandex Identity Hub, you can configure [multi-factor authentication](https://en.wikipedia.org/wiki/Multi-factor_authentication) (MFA) for [federated](../../iam/concepts/users/accounts.md#saml-federation) and [local](../../iam/concepts/users/accounts.md#local) user accounts.

MFA enhances protection of user accounts by requiring an additional authentication factor aside from the password. This may be either a one-time code (via a [TOTP](https://en.wikipedia.org/wiki/Time-based_one-time_password) authenticator app or SMS) or a [WebAuthn](https://en.wikipedia.org/wiki/WebAuthn) ([FIDO2](https://en.wikipedia.org/wiki/FIDO_Alliance#FIDO2)) authentication process.

## MFA policies {#mfa-policies}

_MFA policies_ specify the multi-factor authentication requirements enforced on users, which include:
* Requirements for the allowed [MFA factor](#mfa-factors) types.
* Requirements for the time period in which the user must add a second authentication factor after registration.

    If the user does not add a second factor within the specified period, they will not be able to authenticate in Yandex Cloud on their own.
    
    To enable a user who missed the deadline for adding a second factor to authenticate, the organization administrator must [reset the user verification date](../operations/mfa/manage-verification.md#reset-verification-date), restarting the period set in the **Creation deadline** field of the MFA policy.
    
    To reset a user account verification date, you need the `organization-manager.federations.userAdmin` [role](../security/index.md) or higher (for federated accounts) or the `organization-manager.userpools.userAdmin` role or higher (for local accounts).
    
    {% note info %}
    
    You can look up the date of a user's last verification with the MFA factor on the **Overview** tab of the user information page in the Cloud Center Yandex Identity Hub interface.
    
    {% endnote %}

* Requirements for the frequency of repeated verification of the additional authentication factor.

    Upon expiry of the specified timeout, the user will need to authenticate with the additional factor again.

You can [create](../operations/mfa/create-policy.md) an MFA policy in the [Yandex Identity Hub](https://center.yandex.cloud/organization) interface in Cloud Center.

For an MFA policy to apply to specific user accounts, you need to [explicitly add](../operations/mfa/add-users.md) those users or the [groups](groups.md) to which they belong to the policy's target groups. If needed, you can [exclude](../operations/mfa/excluded-audience.md) certain users or groups from the policy without deleting them from the target groups.

{% note info %}

You can add any type of [user accounts](../../iam/concepts/users/accounts.md) to the MFA policy target groups, but the policy will only apply to [federated](../../iam/concepts/users/accounts.md#saml-federation) and [local](../../iam/concepts/users/accounts.md#local) user accounts.

If a group added to an MFA policy includes users with different account types, the policy will only apply to users with federated and local accounts.

{% endnote %}

An MFA policy can be either `Active` or `Inactive`. 

You can temporarily [deactivate](../operations/mfa/deactivate-reactivate-policy.md#deactivate-policy) an active policy; as a result, its status will change to `Inactive`, and users whose accounts belong to the policy's target groups will no longer be required to use an additional authentication factor. You can [reactivate](../operations/mfa/deactivate-reactivate-policy.md#reactivate-policy) an inactive policy, and its requirements will again apply to the relevant user accounts.

If a user belongs to target groups of multiple MFA policies at once, their account will be subject to the most stringent policy requirements, both in terms of authentication factors and the period and frequency of additional factor verification.

MFA policies can be managed by users with the `organization-manager.editor` [role](../security/index.md#organization-manager-editor) or higher.

## MFA factors {#mfa-factors}

When getting authenticated in Yandex Cloud for the first time, federated and local users belonging to the MFA policy target groups must set up additional account protection by _verifying_ their identity with a second authentication method (factor). Authentication factors available to the user depend on their device capabilities and the factor strength settings dictated by the MFA policy:

* `Any`. This option allows users to select one of the following additional authentication factor standards:

    * [WebAuthn](https://en.wikipedia.org/wiki/WebAuthn) ([FIDO2](https://en.wikipedia.org/wiki/FIDO_Alliance#FIDO2)). The acceptable additional authentication factors may include hardware keys such as [Rutoken](https://www.rutoken.ru/) or [YubiKey](https://developers.yubico.com/Passkeys/), [Passkeys](https://www.passkeys.com/) authenticators, platform authenticators such as [Windows Hello](https://www.microsoft.com/en-us/windows/tips/windows-hello), etc. Learn more about [WebAuthn browser and OS compatibility](mfa.md#webauthn-support).

        {% note warning %}

        Browser extensions with password input control may cause errors when entering additional factors. We recommend disabling such extensions in case of errors.

        {% endnote %}

    * [TOTP](https://en.wikipedia.org/wiki/Time-based_one-time_password). This standard enables using one-time codes generated by dedicated authenticator apps as an additional authentication factor.
    * [SMS](https://en.wikipedia.org/wiki/SMS). This standard enables using one-time codes sent via a text message to the specified mobile phone number as an additional authentication factor.

        {% note info %}
        
        SMS as an authentication factor is at the [Preview](../../overview/concepts/launch-stages.md) stage and available only to customers with a [billable limit](../pricing.md#prices) of Yandex Identity Hub users. To get access, contact [support](https://center.yandex.cloud/support) or your account manager.
        
        {% endnote %}

* `Any (except SMS)`. This option enforces the [WebAuthn](https://en.wikipedia.org/wiki/WebAuthn) or [TOTP](https://en.wikipedia.org/wiki/Time-based_one-time_password) authentication factors.
* `Phishing-resistant`. This option enforces the [WebAuthn](https://en.wikipedia.org/wiki/WebAuthn) authentication factors as the most secure ones.

Users must repeat the verification with the selected additional authentication factor as often as is [specified](../operations/mfa/create-policy.md) in the **Lifetime** field of the MFA policy settings.

The organization administrator may [remove](../operations/mfa/manage-verification.md#remove-mfa-factor) an existing user authentication factor. For example, this may be necessary if the user is unable to access the authenticator app or lost their hardware key used for identity verification.

## WebAuthn browser and OS compatibility {#webauthn-support}

To use WebAuthn, make sure it is supported by your browser and OS. The table below lists the earliest browser and OS versions with WebAuthn support. It is also supported in later versions.

#|
|| **Browser** | **Android 14** | **iOS 16** | **Windows 10** | **macOS 13 (Ventura)** | **Desktop Linux** ||
|| **Chromium**^1^ | Full support | Full support | Full support^2^ | Full support | Only hardware keys^3^ ||
|| **Safari** | No information | Full support | No information | Full support | No information ||
|| **Firefox** | Full support^4^ | Full support | Full support^2^ | Full support^5^ | Only hardware keys ||
|#

^1^ This also applies to [Chromium](https://en.wikipedia.org/wiki/Chromium)-based Yandex Browser, Google Chrome, Opera, Vivaldi, Brave, and Microsoft Edge.
^2^ For platform-specific authenticators with Windows Hello only.
^3^ To use Rutoken in Yandex Browser, you need the Rutoken plugin.
^4^ Use of biometrics may be restricted on some devices.
^5^ Platform authenticators, e.g., Touch ID, may not be fully available due to the Gecko engine features.

#### See also {#see-also}

* [Creating an MFA policy](../operations/mfa/create-policy.md)
* [Updating an MFA policy](../operations/mfa/update-policy.md)
* [Applying an MFA policy to users](../operations/mfa/add-users.md)
* [Managing exceptions to MFA policies](../operations/mfa/excluded-audience.md)
* [Activating or deactivating an MFA policy](../operations/mfa/deactivate-reactivate-policy.md)
* [Deleting an MFA policy](../operations/mfa/delete-policy.md)
* [Removing an MFA factor and resetting the verification date](../operations/mfa/manage-verification.md)
* [Authentication and authorization security checklist](../../security/domains/iam-checklist.md)