This topic explains how to set up and use multi-factor authentication to improve the security of your LaunchDarkly account.
Multi-factor authentication (MFA) requires you to use a second verification step in addition to your password to log in to a service, app, or website.
In LaunchDarkly, you can enable multi-factor authentication for your individual account, which requires you to enter a verification passcode from a free authenticator application you install on a mobile device.
Administrators can also require all newly invited team members on the team to enable multi-factor authentication when they first log in.
We strongly recommend that all LaunchDarkly users enable MFA for their account, and that administrators enforce MFA for their entire team.
Before you begin, you'll need to install a compatible authenticator application on your mobile device. We recommend Google Authenticator, but any TOTP authenticator application should work well.
To enable MFA for your account:
- Navigate to your User Profile page.
- Click Enable MFA. A dialog with a QR code appears on your screen.
The Enable MFA section of your user profile.
- Launch the authenticator application on your mobile device and hold the camera up to your screen to scan the code. When the QR code scans, a six digit code appears on your mobile device.
The MFA QR Code.
- Enter the six digit code from your authenticator application in the text box in LaunchDarkly.
- Click "Continue". A confirmation screen with recovery codes appears.
The recovery codes for your account.
If you lose access to the mobile device with your MFA settings, you can use one of these recovery codes to access your account and reset your MFA settings.
Do not lose your recovery codes
Store your recovery codes in a safe location other than your mobile device. If you lose your recovery codes and cannot access your account, you must contact a LaunchDarkly administrator for help. They can send you a new recovery code.
When MFA is enabled, you're required to enter a code from your authenticator app each time you log in to LaunchDarkly.
The first step of the login flow doesn't change-- you must enter your email address and password. After your credentials are verified, an MFA login screen appears.
The MFA login screen.
Enter a valid passcode from your authenticator app within five minutes. If you don't do this quickly enough, you must re-enter your password and a new code.
If you've lost access to your device or your authenticator application, click the link on the MFA login screen to log in with one of your recovery codes.
The MFA recovery code screen.
When you use a recovery code, you'll be sent to your account profile page. When this happens, reset your MFA settings and generate new recovery codes immediately.
Recovery codes are single-use
Once you've logged in with a recovery code, reset your MFA settings immediately. You can only use recovery codes once, so every time you use one, you should generate new recovery codes and store them in a safe location as soon as possible.
If you've lost your device and do not have access to any of your recovery codes, contact an administrator for your team's LaunchDarkly account. Your administrator can send you an e-mail with a new recovery code.
This is an Admin-only feature
To follow the procedures in the next section, you must be a LaunchDarkly Admin or Owner.
If you're a LaunchDarkly administrator or account owner, you can require all newly invited team members to enable MFA.
To do this, click the checkbox labeled Require multi-factor authentication for new membersunder Multi-factor authentication on your Security page.
The MFA section of the Security page.
When this setting is enabled, any new team members you invite must set up MFA for their account when they first log in. In addition, if this setting is enabled, team members cannot disable MFA for their account.
Admins can also see whether team members have MFA enabled on the Team page. If a user does not have MFA enabled, admins can send an email requesting that the team member enable MFA.
The team member edit screen.
Finally, if a team member with MFA enabled loses their device and no longer has access to their recovery code, administrators can send them an email with a new recovery code.
The Send recovery code button.