As part of the broader Salesforce ecosystem(Link opens in a new window), we require you, site owners, to configure account security mechanisms for you and your users. The way you can enable account security depends on which technologies are available to you in your organisation, such as multi-factor authentication (MFA). MFA authentication will be a Tableau Online requirement beginning 1st February 2022. MFA is an effective tool for enhancing sign-in security and protecting your organisation and its data against security threats. For more information, see the Salesforce Multi-Factor Authentication FAQs(Link opens in a new window) and Multi-Factor Authentication (MFA) Enforcement Roadmap(Link opens in a new window) in the Salesforce Help.
When you enable MFA, we require you do this through your single sign-on (SSO) identity provider (IdP). If you don’t work directly with an IdP, you can enable MFA with Tableau authentication using the Tableau with MFA capability.
Important: If you decide to use Tableau with MFA, review this topic in its entirety, especially Regain site access after being locked out.
User accounts and multi-factor authentication
Multi-factor authentication (MFA) is a secure account authentication method that requires users to prove their identity by providing two or more pieces of information, also known as “factors”, when they sign in to Tableau Online. The first factor is unique information your users know – their usernames and passwords. Additional factors are verification methods that users have in their possession, such as an authenticator app.
By enforcing multiple factors when users sign in to Tableau Online, MFA makes it more difficult for common threats like phishing attacks and account takeovers to succeed. MFA is an effective tool for enhancing sign-in security and protecting your organisation and its data against security threats.
Primary method - SSO with MFA: If you are currently using your organisation’s SSO IdP to enhance your security with MFA, you should continue to do so. If not, to satisfy the MFA requirement, configure your site to use SSO and enable MFA with your SSO IdP. You can configure your site users to authenticate with Google, Salesforce or SAML provider.
Alternative method - Tableau with MFA: If you don’t work directly with an SSO IdP, or if your site admins or other users use TableauID, you can satisfy the MFA requirement by enabling MFA with Tableau authentication to secure your user sign-in process until you’re able to transition to a more centralised IdP. This capability enables you and your users to continue signing in to Tableau Online with your TableauID credentials, with an additional step of using a verification method before being successfully authenticated to the site.
Tableau with MFA supports the following verification methods:
- Salesforce Authenticator app
- Time-based one-time passcode (TOTP) authenticator apps, including Google Authenticator, Microsoft Authenticator and Authy
- Recovery code
To compare supported verification methods and review usage requirements, see Verification Methods for Multi-Factor Authentication(Link opens in a new window) topic in Salesforce Help.
Enable MFA with Tableau authentication
If your organisation does not work directly with an SSO IdP, you can satisfy the MFA requirement with the default Tableau authentication. For more information, see About multi-factor authentication and Tableau Online.
Sign in to Tableau Online using your site admin credentials and go to the Users page.
Next to the first user listed, do the following:
Click on the Actions menu, select Authentication and then select Tableau with MFA.
- Click Update to save changes.
Repeat step 2 for each user listed, including site admins.
After users sign in to Tableau Online with their Tableau user name and password, they are prompted to choose a supported verification method – Salesforce Authenticator or other time-based one-time passcode (TOTP) authenticator apps. For more information about the user process for registering and managing a verification method, see Register for multi-factor authentication.
Best practices for site admin accounts
When enabling MFA for your users, we recommended the following best practices for your site admin accounts:
Register a minimum of two verification methods: For each site admin account, register at least two verification methods to reduce the risk of being locked out of the site. For example, after you have registered a primary verification method, we recommend you add the Recovery Codes option to generate a set of recovery codes as backup.
Designate at least two site admin accounts to manage users and MFA: Designate at least two site admin-level accounts (Site Administrator Creator or Site Administrator Explorer) that have permissions to manage users and MFA settings. This can help prevent admin access delays if another admin is locked out of the site.
Manage verification methods
You (and your users) can manage verification methods from your My Account Settings page. On this page, you can add or remove additional verification methods.
About recovery codes - use in emergency situations only
To help reduce the risk of a locked-out scenario, we recommend you (and your users) add the Recovery Codes option as backup after registering for MFA. Recovery codes, to be used in emergency scenarios only, allow you to sign in to Tableau Online if you don't have access to your usual MFA verification methods. If you add the Recovery Codes option, a list of ten one-time use codes are generated for you that you can use to sign in to Tableau Online.
- Because the list of codes is not accessible after you've added the Recover Codes option, immediately copy and store these codes in a safe and secure location so that you can use them in emergency situations.
- Recovery codes should not be used as your primary verification method. Instead, recovery codes should be used in emergency scenarios only when you don’t have access to your usual MFA verification methods.
Important: We strongly recommend that you (and your users) register the Recovery Codes option to help avoid being locked out of your site. Recovery codes should be used in emergency scenarios only.
If you lose all your usual verification methods, contact another site admin to help you regain site access by using the procedure described below. You can use this procedure to enable site access for your users as well.
To enable site access, reset the MFA verification methods from the user's profile page in Tableau Online.
- Sign in to Tableau Online as a site admin.
- Navigate to the Users page and select the user who needs to regain access to the site.
- On the user's profile page, click the Settings tab and then click the Reset MFA Verifiers button.
After the MFA verification methods have been reset, contact the user and request that they follow the procedure described in Register for multi-factor authentication to register for MFA again.
Reset MFA as the only site admin
If you're the only site admin and you lose all your usual verification methods, you must file a case with Tableau Support. In order to regain access to Tableau Online, Tableau Support must manually confirm your identity and then reset the methods of verification. To help ensure a smooth account recovery process, keep the following in mind:
Tableau Support is available only during regular business hours(Link opens in a new window) (no weekends) in your region. The hours might vary if you’re a Premium Support customer.
Tableau Support might use information from your TableauID profile (on Tableau.com(Link opens in a new window)) to validate who you are. Therefore, it’s important to keep your profile information, such as phone number, up to date. For more information about editing your TableauID profile, see the Changing your Name, Title or Email Address in the Tableau Community(Link opens in a new window) on the Tableau Community site.
To file a Tableau Support case, see the Submitting a Case from the Webform(Link opens in a new window) in the Tableau knowledge base.