[Yandex Cloud documentation](../../../index.md) > [Yandex Identity Hub](../../index.md) > [Step-by-step guides](../index.md) > Authentication > Managing MFA > Updating an MFA policy

# Updating an MFA policy

To update an [MFA policy](../../concepts/mfa.md#mfa-policies):

{% list tabs group=instructions %}

- Cloud Center UI {#cloud-center}

  1. Log in to [Yandex Identity Hub](https://center.yandex.cloud/organization).
  1. In the left-hand panel, select ![shield](../../../_assets/console-icons/shield.svg) **Security settings**.
  1. Navigate to the **MFA policies** tab.
  1. In the MFA policy list, click ![ellipsis](../../../_assets/console-icons/ellipsis.svg) in the policy row and select ![pencil](../../../_assets/console-icons/pencil.svg) **Edit**. In the window that opens:

      1. In the **Name** field, enter a new name for the policy. The naming requirements are as follows:

          * It must be from 1 to 63 characters long.
          * It may contain lowercase Latin letters, numbers, and hyphens.
          * It must start with a letter and cannot end with a hyphen.
      1. Optionally, enter a policy description in the **Description** field.
      1. If required, use **Policy active** to activate or deactivate the policy.
      1. In the **Factor types** field, select additional authentication [factors](../../concepts/mfa.md#mfa-factors) required for users from the policy's target groups to verify their identity:
         
         * `Any`. This option allows users to select one of the following additional authentication factor standards:
         
             * [WebAuthn](https://en.wikipedia.org/wiki/WebAuthn) ([FIDO2](https://en.wikipedia.org/wiki/FIDO_Alliance#FIDO2)). The acceptable additional authentication factors may include hardware keys such as [Rutoken](https://www.rutoken.ru/) or [YubiKey](https://developers.yubico.com/Passkeys/), [Passkeys](https://www.passkeys.com/) authenticators, platform authenticators such as [Windows Hello](https://www.microsoft.com/en-us/windows/tips/windows-hello), etc. Learn more about [WebAuthn browser and OS compatibility](../../concepts/mfa.md#webauthn-support).
         
                 {% note warning %}
         
                 Browser extensions with password input control may cause errors when entering additional factors. We recommend disabling such extensions in case of errors.
         
                 {% endnote %}
         
             * [TOTP](https://en.wikipedia.org/wiki/Time-based_one-time_password). This standard enables using one-time codes generated by dedicated authenticator apps as an additional authentication factor.
             * [SMS](https://en.wikipedia.org/wiki/SMS). This standard enables using one-time codes sent via a text message to the specified mobile phone number as an additional authentication factor.
         
                 {% note info %}
                 
                 SMS as an authentication factor is at the [Preview](../../../overview/concepts/launch-stages.md) stage and available only to customers with a [billable limit](../../pricing.md#prices) of Yandex Identity Hub users. To get access, contact [support](https://center.yandex.cloud/support) or your account manager.
                 
                 {% endnote %}
         
         * `Any (except SMS)`. This option enforces the [WebAuthn](https://en.wikipedia.org/wiki/WebAuthn) or [TOTP](https://en.wikipedia.org/wiki/Time-based_one-time_password) authentication factors.
         * `Phishing-resistant`. This option enforces the [WebAuthn](https://en.wikipedia.org/wiki/WebAuthn) authentication factors as the most secure ones.
      1. In the **Creation deadline** field, specify the period in days during which the user must add a second authentication factor after registration.
      1. In the **Lifetime** field, set the credential validity period, in days.
         
         Upon expiry of the specified timeout, the user will need to authenticate with the additional factor again.
      1. Click **Save**.

- CLI {#cli}

  If you do not have the Yandex Cloud CLI yet, [install and initialize it](../../../cli/quickstart.md#install).

  The folder used by default is the one specified when [creating](../../../cli/operations/profile/profile-create.md) the CLI profile. To change the default folder, use the `yc config set folder-id <folder_ID>` command. You can also specify a different folder for any command using `--folder-name` or `--folder-id`. If you access a resource by its name, the search will be limited to the default folder. If you access a resource by its ID, the search will be global, i.e., through all folders based on access permissions.

  1. View the MFA policy list using this command:

     ```bash
     yc organization-manager mfa-enforcement list \
       --organization-id <organization_ID>
     ```

     Where `organization_id` is the organization ID.

  1. View the description of an MFA policy:

     ```bash
     yc organization-manager mfa-enforcement get \
       --id <policy_ID>
     ```

  1. View the description of the update MFA policy CLI command:

     ```bash
     yc organization-manager mfa-enforcement update --help
     ```

  1. To update an MFA policy, run this command:

     ```bash
     yc organization-manager mfa-enforcement update \
       --id <policy_ID> \
       --acr-id <authentication_factor_type> \
       --ttl <lifetime> \
       --status <policy_status> \
       --apply-at <time_of_applying_changes> \
       --enroll-window <registration_period> \
       --new-name <new_name> \
       --description <new_description> \
       --organization-id <organization_ID>
     ```

     Where:

     * `--id`: MFA policy ID.
     * `--acr-id`: Authentication [factor](../../concepts/mfa.md#mfa-factors) type. The possible values are:
       
       * `any-mfa`: Authentication factors without security restrictions.
       
           {% note info %}
           
           SMS as an authentication factor is at the [Preview](../../../overview/concepts/launch-stages.md) stage and available only to customers with a [billable limit](../../pricing.md#prices) of Yandex Identity Hub users. To get access, contact [support](https://center.yandex.cloud/support) or your account manager.
           
           {% endnote %}
       
       * `any-except-sms`: Only FIDO2 or TOTP factors.
       * `phr`: Only phishing-resistant FIDO2 factors.
     * `--ttl`: Credential validity period in days.
     * `--status`: Policy status, active (`status-active`) or inactive (`status-inactive`).
     * `--apply-at`: Time after which the policy will become active.
     * `--enroll-window`: Period in days after registration during which the user must add a second authentication factor.
     * `--new-name`: New policy name.
     * `--description`: New description.
     * `--organization-id`: Organization ID.

- Terraform {#tf}

  With [Terraform](https://www.terraform.io/), you can quickly create a cloud infrastructure in Yandex Cloud and manage it using configuration files. These files store the infrastructure description written in HashiCorp Configuration Language (HCL). If you change the configuration files, Terraform automatically detects which part of your configuration is already deployed, and what should be added or removed.
  
  Terraform is distributed under the [Business Source License](https://github.com/hashicorp/terraform/blob/main/LICENSE). The [Yandex Cloud provider for Terraform](https://github.com/yandex-cloud/terraform-provider-yandex) is distributed under the [MPL-2.0](https://www.mozilla.org/en-US/MPL/2.0/) license.
  
  For more information about the provider resources, see the guides on the [Terraform](https://www.terraform.io/docs/providers/yandex/index.html) website or [its mirror](../../../terraform/index.md).

  If you do not have Terraform yet, [install it and configure the Yandex Cloud provider](../../../tutorials/infrastructure-management/terraform-quickstart.md#install-terraform).
  
  
  To manage infrastructure using Terraform under a service account or user accounts (a Yandex account, a federated account, or a local user), [authenticate](../../../terraform/authentication.md) using the appropriate method.

  1. Open the Terraform configuration file and edit the `yandex_organizationmanager_mfa_enforcement` resource:

     ```hcl
     resource "yandex_organizationmanager_mfa_enforcement" "example_mfa_policy" {
       name            = "<new_policy_name>"
       organization_id = "<organization_ID>"
       acr_id          = "<new_authentication_factor_type>"
       ttl             = "<new_lifetime>"
       status          = "<new_policy_status>"
       apply_at        = "<new_activation_time>"
       enroll_window   = "<new_creation_deadline>"
       description     = "<new_policy_description>"
     }
     ```

     Where:
     
     * `name`: Policy name. This is a required setting. The naming requirements are as follows:
     
       * It must be from 1 to 63 characters long.
       * It may contain lowercase Latin letters, numbers, and hyphens.
       * It must start with a letter and cannot end with a hyphen.
     
     * `organization_id`: Organization ID. This is a required setting.
     * `acr_id`: Authentication [factor](../../concepts/mfa.md#mfa-factors) type. This is a required setting. The possible values are:
     
       * `any-mfa`: Authentication factors without security restrictions.
       * `any-except-sms`: Only FIDO2 or TOTP factors.
       * `phr`: Only phishing-resistant FIDO2 factors.
     
     * `ttl`: Credential validity period in time format, e.g., `336h0m0s` for 14 days. This is a required setting.
     * `status`: Policy status. This is an optional parameter; the possible values are: 
         * `MFA_ENFORCEMENT_STATUS_ACTIVE`: Active.
         * `MFA_ENFORCEMENT_STATUS_INACTIVE`: Inactive.
     * `apply_at`: Time after which the policy will become active, in RFC3339 format, e.g., `2024-12-31T23:59:59Z`. This is an optional setting.
     * `--enroll-window`: Period of time after registration during which the user must add a second authentication factor. Uses time format, e.g., `720h0m0s` for 30 days. This is a required setting.
     * `description`: Policy description. This is an optional setting.
     
     For more on the properties of the `yandex_organizationmanager_mfa_enforcement` resource, see [this provider guide](../../../terraform/resources/organizationmanager_mfa_enforcement.md).

  1. Apply the changes:

     1. In the terminal, navigate to the configuration file directory.
     1. Make sure the configuration is correct using this command:
     
        ```bash
        terraform validate
        ```
     
        If the configuration is valid, you will get this message:
     
        ```bash
        Success! The configuration is valid.
        ```
     
     1. Run this command:
     
        ```bash
        terraform plan
        ```
     
        You will see a list of resources and their properties. No changes will be made at this step. Terraform will show any errors in the configuration.
     1. Apply the configuration changes:
     
        ```bash
        terraform apply
        ```
     
     1. Type `yes` and press **Enter** to confirm the changes.

     Terraform will update the MFA policy. You can check the MFA policy updates using the [Cloud Center UI](https://center.yandex.cloud/organization) or this [CLI](../../../cli/index.md) command:

     ```bash
     yc organization-manager mfa-enforcement get <policy_ID>
     ```

- API {#api}

  Use the [Update](../../api-ref/MfaEnforcement/update.md) REST API method for the [MfaEnforcement](../../api-ref/MfaEnforcement/index.md) resource or the [MfaEnforcementService/Update](../../api-ref/grpc/MfaEnforcement/update.md) gRPC API call.

{% endlist %}

{% note info %}

For an MFA policy to apply to specific user accounts, [add](add-users.md) the users in question or the [groups](../../concepts/groups.md) they are members of to the policy's target groups.

{% endnote %}

#### Useful links {#see-also}

* [Creating an MFA policy](create-policy.md)
* [Applying an MFA policy to users](add-users.md)
* [Managing exceptions to MFA policies](excluded-audience.md)
* [Activating or deactivating an MFA policy](deactivate-reactivate-policy.md)
* [Deleting an MFA policy](delete-policy.md)
* [Removing an MFA factor and resetting the verification date](manage-verification.md)
* [Multi-factor authentication in Yandex Identity Hub](../../concepts/mfa.md)