--- title: "Set up multi-factor authentication (MFA) for Grafana Cloud | Grafana Cloud documentation" description: "Add a second layer of security to your Grafana Cloud account with multi-factor authentication (MFA) using a TOTP authenticator app." --- > For a curated documentation index, see [llms.txt](/llms.txt). For the complete documentation index, see [llms-full.txt](/llms-full.txt). # Set up multi-factor authentication for Grafana Cloud Multi-factor authentication (MFA) adds a second layer of security to your Grafana Cloud account. When MFA is enabled, signing in requires both your password and a time-based one-time password (TOTP) from an authenticator app. Grafana Cloud MFA uses the TOTP standard, which generates a new six-digit code every 30 seconds. It’s compatible with any standard TOTP authenticator app. > Note > > MFA is currently rolling out to Grafana Cloud organizations. If MFA is not yet available for your organization, the **MFA** option does not appear in the left sidebar. ## Before you begin Make sure that: - You have a password-based Grafana Cloud account. If you sign in exclusively through a social login provider (Google, GitHub, etc.), you must first set a password in your account settings before you can enable MFA. - MFA is available for your organization. Contact your organization administrator or Grafana support if you need MFA enabled. ### Key points The following applies: - **Password required**: MFA requires a password-based account. Social-login-only users must set a password first. - **Social login disabled**: After MFA is enabled, social login is disabled. To use social login again, first disable MFA. - **One method at a time**: Only one TOTP authenticator can be active per account. Grafana Cloud doesn’t support multiple authenticator apps or hardware security keys. - **Email notifications**: You receive email alerts when MFA is enabled, disabled, or when a recovery code is used. - **Admin MFA removal**: If a user is locked out and has exhausted all recovery options, a Grafana staff administrator can disable MFA on the user’s behalf. The user receives an email notification when this occurs. ## Set up MFA To set up MFA: 1. Sign in to [Grafana Cloud](/auth/sign-in). 2. In the left sidebar, click **MFA** under **User Settings**. The setup wizard guides you through linking an authenticator app and saving your recovery codes. ### Link your authenticator app 1. Open your authenticator app and scan the QR code. If you can’t scan, enter the secret key shown below the QR code manually. 2. Enter the six-digit code from your authenticator app in the **Verification code** field. 3. Click **Verify and enable MFA**. ### Save your recovery codes After your authenticator is linked, you are shown eight single-use recovery codes. 1. Click **Download** to save the codes as a text file, or click **Print** to print them. Store them in a safe location, such as a password manager. 2. Select the **I have saved my recovery codes** checkbox. 3. Click **Done** to complete setup. After setup, you receive an email confirming that MFA is enabled on your account. Your MFA settings page shows: - **Status**: Whether MFA is enabled. - **Method**: The authenticator type in use (TOTP authenticator app). - **Recovery codes remaining**: How many of your eight recovery codes are still unused. - **Last used**: When MFA was last used for verification. ## Sign in with MFA To sign in when MFA is enabled: 1. Enter your email and password. 2. On the MFA verification page, open your authenticator app and enter the current six-digit code. 3. Click **Verify** to complete sign-in. Codes refresh every 30 seconds. If a code doesn’t work, wait for the next one. After successfully verifying with MFA, you are not prompted again for 10 days. If you sign out and back in, you need to verify again. > Caution > > When MFA is enabled on your account, social login (such as Google or GitHub) is disabled. Sign in with your password and TOTP code. To use social login again, first disable MFA. ## Recovery options If you lose access to your authenticator app, you have two recovery methods available. ### Use a recovery code During MFA setup, you received eight single-use recovery codes. To use one: 1. On the MFA verification page, click **Use a recovery code instead**. 2. Enter one of your saved recovery codes. 3. Click **Verify**. Each recovery code can be used only once. You receive an email notification when a recovery code is used, including how many codes remain. ### Use email recovery If you have also lost your recovery codes, you can receive a one-time recovery code via email. Use your recovery codes when possible. To request an email recovery code: 1. On the MFA verification page, click **Lost your authenticator and recovery codes?**. 2. Click **Send recovery code**. 3. Check your registered email for the recovery code. 4. Enter the code on the recovery page. 5. Click **Verify** to complete sign-in. The email recovery code expires after 15 minutes. You can request up to three recovery emails per hour. > Note > > Email recovery is unavailable for 24 hours after a password change. ### Regenerate recovery codes You can generate a new set of recovery codes: 1. Sign in to [Grafana Cloud](/auth/sign-in). 2. In the left sidebar, click **MFA** under **User Settings**. 3. Click **Regenerate Recovery Codes**. 4. Enter your password and click **Regenerate**. Regenerating invalidates your old codes and issues eight new ones. Download or print the new codes and store them securely. ## Organization-level MFA settings Organization administrators can enforce MFA policies for all members of their organization through the Cloud Portal or the API. ### Require MFA for all members To require all organization members to set up MFA using the Cloud Portal: 1. Sign in to [Grafana Cloud](/auth/sign-in). 2. Navigate to **Org Settings**. 3. Select the **Enforce MFA** checkbox. 4. Click **Update**. Alternatively, use the API: Bash ![Copy code to clipboard](/media/images/icons/icon-copy-small-2.svg) Copy ```bash curl -X POST https://grafana.com/api/orgs//settings \ -H "Authorization: Bearer " \ -H "Content-Type: application/json" \ -d '{"mfaRequired": true}' ``` Replace the following: - *``* : Your organization slug. - *``* : A Grafana Cloud API token with permission to update organization settings. When MFA is enforced: - Members who have not yet set up MFA are redirected to the MFA setup wizard at their next sign-in. They cannot access the portal until setup is complete. - Members who already have MFA enabled are unaffected. - Members who sign in exclusively through social login (no password set) are currently exempt, since MFA requires a password. ### View current MFA settings To view the current MFA settings for your organization in the Cloud Portal: 1. Sign in to [Grafana Cloud](/auth/sign-in). 2. Navigate to **Org Settings**. The **Enforce MFA** checkbox reflects the current setting. Alternatively, use the API: Bash ![Copy code to clipboard](/media/images/icons/icon-copy-small-2.svg) Copy ```bash curl https://grafana.com/api/orgs//settings \ -H "Authorization: Bearer " ``` The response shows the current settings: JSON ![Copy code to clipboard](/media/images/icons/icon-copy-small-2.svg) Copy ```json { "mfaRequired": true } ``` ## Disable MFA To disable MFA: 1. Sign in to [Grafana Cloud](/auth/sign-in). 2. In the left sidebar, click **MFA** under **User Settings**. 3. Click **Disable MFA**. 4. Enter your password and click **Disable MFA** to confirm. MFA is removed from your account. Your TOTP secret and recovery codes are deleted. You receive an email confirming MFA has been disabled. Social login is re-enabled for your account.