IBM Cloud Docs
Identifying a user's MFA status

Identifying a user's MFA status

The first time that users log in to your account after you enable multifactor authentication (MFA), they must set up their authentication factors. Otherwise, your account is subject to security vulnerabilities and attacks. You can identify the users in your account who don't meet your MFA requirements by generating an MFA status report.

You must have the Administrator role on the IAM Identity Service to view and update the report. The following actions are included in this role.

  • The action iam-identity.mfa-status.get is required to view the report.
  • The action iam-identity.report.create is required to generate a new report.

Viewing the MFA status of users in the console

To view the MFA status of users in the console, complete the following steps:

  1. In the IBM Cloud console, click Manage > Access (IAM), and select MFA status.

  2. Click Update report to view the most recent report in your account.

    Only the most recent report is available. When you generate a new report, any reports older than a day are deleted.

  3. View the Satisfies MFA column to determine if the user is enrolled for the required MFA method. The following values are possible:

    • Yes: The user either does not need to provide any additional authentication factor, or they are already enrolled for the required authentication factor. Any time this user tries to log in to IBM Cloud, they are prompted to complete the required MFA method.
    • No: The user has not yet enrolled for the required authentication factor. The next time the user logs in to IBM Cloud, they are prompted to enroll.
    • Not all accounts: The user belongs to at least one other IBM Cloud account that requires a stronger MFA method, but the user is not enrolled yet for that method.

    ID-based MFA is the current and most secure type of MFA. Account-based MFA is deprecated. Factors vary between both types of MFA. For more information, see the current MFA options and Deprecated legacy account-based MFA.

  4. Contact the users in your account who don't satisfy the MFA requirements. Ask them to comply by logging in and setting up the required factors. For more information, see Managing your authentication factors.