Multi-Factor Authentication and Tableau Cloud
As part of the broader Salesforce ecosystem(Link opens in a new window), we require you, the site owners, to configure account security mechanisms for you and your users. The way you can enable account security depends on which technologies are available to you in your organisation. MFA authentication became a Tableau Cloud requirement beginning 1 February 2022. MFA is an effective tool for enhancing sign-in security and protecting your organisation and its data against security threats. For more information, see the Salesforce Multi-Factor Authentication FAQ(Link opens in a new window) in Salesforce Help.
To meet the MFA requirement, you can use your single sign-on (SSO) identity provider (IdP). If you don’t work directly with an IdP, you can enable MFA for Tableau authentication using the Tableau with MFA capability.
Important: If you decide to use Tableau with MFA, review this topic in its entirety, especially Regain site access after being locked out.
User accounts and multi-factor authentication
Multi-factor authentication (MFA) is a secure account authentication method that requires users to prove their identity by providing two or more pieces of information (factors) when they sign in to Tableau Cloud. The first factor is the unique information your users know – their usernames and passwords. Other factors are verification methods that users have in their possession, such as an authenticator app, security key or built-in authenticator.
By enforcing multiple factors when users sign in to Tableau Cloud, MFA makes it more difficult for common threats like phishing attacks and account takeovers to succeed. MFA is an effective tool for enhancing sign-in security and protecting your organisation and its data against security threats.
Recommended method - SSO with MFA: If you’re currently using your organisation’s SSO IdP with MFA to enhance your security, continue to do so. If not, to satisfy the MFA requirement, configure your site to use SSO and enable MFA with your SSO IdP. You can configure your site users to authenticate with Google, Salesforce or SAML provider.
Alternative method - Tableau with MFA: If you don’t work directly with an SSO IdP, or if you use TableauID, you can satisfy the MFA requirement by enabling MFA with Tableau authentication. This capability enables an additional step of using a verification method before being successfully authenticated to the site.
Tableau with MFA supports the following verification methods:
- Salesforce Authenticator app
- Third-party time-based one-time passcode (TOTP) authenticator apps, including Google Authenticator, Microsoft Authenticator and Authy
- Security keys that support WebAuthn or U2F, such as Yubico YubiKey or Google Titan Security Key
- Built-in authenticators, including Touch ID, Face ID and Windows Hello
- Recovery codes (as backup only)
Important: Security keys that support WebAuthn or U2F and built-in authenticators can't be used when authenticating to Tableau Cloud from Tableau Desktop, Tableau Prep Builder, Tableau Bridge and Tableau Content Migration Tool. If one of these verification methods have been registered, you (and your users) can register an additional verification method from your My Account Settings page in Tableau Cloud.
To compare supported verification methods and review usage requirements, see Verification Methods for Multi-Factor Authentication(Link opens in a new window) topic in Salesforce Help.
Enable MFA with Tableau authentication
If your organisation doesn’t work directly with an SSO IdP, you can satisfy the MFA requirement with the default Tableau with MFA authentication. For more information, see About multi-factor authentication and Tableau Cloud.
If Tableau hasn't updated your site to require Tableau with MFA yet, follow these steps to enable MFA. You can also see an overview of this process in the Multi-Factor Authentication Enforcement | Tableau Cloud(Link opens in a new window) video on YouTube.
Sign in to Tableau Cloud using your site admin credentials and go to the Users page.
Next to the first user listed, do the following:
Click on the Actions menu, select Authentication and then select Tableau with MFA.
- Click Update to save changes.
Repeat step 2 for each user listed, including site admins.
After users sign in to Tableau Cloud with their Tableau username and password, they’re prompted to choose a supported verification method. For more information about the user process for registering and managing a verification method, see Register for multi-factor authentication.
For an overview of the MFA sign-in experience for Tableau Bridge, tabcmd 2.0 and Tableau REST API, see the Multi-Factor Authentication: Post Enforcement | Tableau Cloud(Link opens in a new window) video on YouTube.
Best practices for site admin accounts
When enabling MFA for your users, we recommended the following best practices for your site admin accounts:
- Register a minimum of two verification methods: For each site admin account, register at least two verification methods to reduce the risk of being locked out of the site. For example, after you’ve registered a primary verification method, we recommend you add the Recovery Codes option to generate a set of recovery codes as backup.
- Designate at least one site admin account to manage users and MFA: Designate at least one site admin-level account (Site Administrator Creator or Site Administrator Explorer) that has permissions to manage users and MFA settings. This redundancy can help prevent admin access delays if another admin is locked out of the site.
Manage verification methods
You (and your users) can manage verification methods from your My Account Settings page. After clicking the Manage MFA Verification Methods link, you can add or remove additional verification methods, including adding recovery codes.
About recovery codes - emergency cases only
To help reduce the risk of a locked-out scenario, we recommend you (and your users) add the Recovery Codes option as backup after registering for MFA. Recovery codes, to be used in emergency cases only, allow you to sign in to Tableau Cloud if you don't have access to your usual MFA verification methods. If you add the Recovery Codes option, a list of ten one-time use codes are generated that you can use to sign in to Tableau Cloud.
Important:
- Because the list of codes isn't accessible after you've added the Recovery Codes option, immediately copy and store these codes in a safe and secure location for use in emergency situations.
- Recovery codes aren't intended to be a primary verification method and should only be used as backup only. Instead, recovery codes are intended for emergency cases only when you don’t have access to your usual MFA verification methods.
Regain site access after being locked out
Important: We strongly recommend that you (and your users) register the Recovery Codes option to help avoid being locked out of your site. Recovery codes should be used in emergency cases only.
If you lose all your usual verification methods, contact another site admin to help you regain site access by using the following procedure. You can use this procedure to enable site access for your users as well.
Reset MFA
To enable site access, reset the MFA verification methods from the Users page in Tableau Cloud.
Important: For security purposes, a site admin can only reset the MFA verifiers of a user that belongs to a single site. If you don't meet this requirement, contact Tableau Support to file a support case to reset a user's MFA verifiers. For more information, see Submitting a Case from the Webform(Link opens in a new window) in the Tableau knowledge base.
- Sign in to Tableau Cloud as a site admin.
- Navigate to the Users page and select the user who needs to regain access to the site.
- Click the Actions menu, and select Reset MFA Verifiers.
- On the user's profile page, click the Settings tab and then click the Reset MFA Verifiers button.
Note: To see the Reset MFA Verifiers button, the user's authentication method must be set to Tableau with MFA.
After the MFA verification methods have been reset, contact the user and request that they follow the procedure described in Register for multi-factor authentication to register for MFA again.
Reset MFA as the only site admin
If you're the only site admin and you lose all your usual verification methods, you must contact your account manager. To regain access to Tableau Cloud, Tableau must manually confirm your identity and then reset the methods of verification. To help ensure a smooth account recovery process, keep the following in mind:
Tableau might use information from your TableauID profile (on Tableau.com(Link opens in a new window)) to validate who you are. Therefore, it’s important to keep your profile information, such as phone number, up to date. For more information about editing your TableauID profile, see the Changing your Name, Title or Email Address in the Tableau Community(Link opens in a new window) on the Tableau Community site.
- If you have Premium Support and require assistance on a weekend, you can file a Tableau Support case. For more information, see Submitting a Case from the Webform(Link opens in a new window) in the Tableau knowledge base.
For more information, see Tableau Cloud Reset Authenticator for Tableau ID with Multi-Factor Authentication(Link opens in a new window) in the Tableau knowledge base.