Set multi-factor authentication for an organization

This is an advanced org feature that is only available on the Kinde Scale plan. You can set multi-factor auth for 5 organizations and then charges apply for each organization that uses advanced org features.

As part of being able to set unique authentication methods for an organization, you can also set how multi-factor authentication (MFA) works per organization.

You might want to use MFA for some of your orgs, such as for business customers that require their users to have MFA as part of sign in. This is common in finance and government sectors.

As part of this feature, you can:

• exempt certain roles within the organization from having to use MFA. For example, you may only want Admins to use MFA.
• exempt MFA authentication for certain enterprise connection types, such as SAML authentication. You might want to do this if MFA is already set up with the enterprise auth provider.

Review the MFA requirements

Link to this section

In Kinde, go to Settings > Environment > Multi-factor auth.

If Require multi-factor authentication is set as ‘Yes’ or ‘Optional’ at the environment level, this configuration is used for all your organizations and the MFA methods are shared across all.

The requirement should be ‘No’ if you only want to enforce MFA for some organizations and require users to set up unique MFA methods per organization.

Switch on MFA for an organization

Link to this section

1. In Kinde, go to Organizations.
2. Browse or search for the organization.
3. In the list, select the organization to open the Details page.
4. Select Multi-factor auth in the menu.
5. If applicable, activate the advanced organization feature.
6. Toggle the Enforce multi-factor authentication for this organization switch on.
7. Select the authentication Methods. You can choose more than one.
8. Select Save.

Add and remove exempt roles from MFA

Link to this section

You need to have roles set up in Kinde.

1. In the Exempt roles section of the MFA page for the organization.
2. Select Add exempt role and select a role from the list.
3. Press Enter.
4. Repeat step 2 to add more roles.
5. You can remove an exempt role by selecting the three dots menu and selecting Remove.
6. Select Save.

If a user has a mix of exempt and non-exempt roles, MFA will apply as default.

Add and remove exempt enterprise connections from MFA

Link to this section

You need to have enterprise connections set up in Kinde.

1. In the Exempt enterprise connections section of the MFA page for the organization.
2. Select Add exempt enterprise connection and select a connection from the list.
3. Press Enter.
4. Repeat step 2 to add more connections.
5. You can remove an exempt connection by selecting the three dots menu and selecting Remove.
6. Select Save.

If a user signs in via Okta (exempt) and has an Admin role (not exempt), they will not be prompted for MFA.

Switch off MFA for an organization

Link to this section

If users are authenticating via MFA in the organization, switching it off may cause breaking changes.

Switching off reverts MFA requirements to whatever is set in your environment.

1. In Kinde, go to Organizations and browse or search for the organization.
2. In the list, select the organization to open the Details page.
3. Select Multi-factor auth in the menu.
4. Toggle the Enforce multi-factor authentication for this organization switch off.
5. Select Save.