Multi-Factor Authentication and Tableau Cloud
As part of the broader Salesforce ecosystem(Link opens in a new window), we require you, site owners, to configure account security mechanisms for you and your users. The way you can enable account security depends on which technologies are available to you in your organisation, such as multi-factor authentication (MFA). MFA authentication will be a Tableau Cloud requirement beginning 1st February 2022. MFA is an effective tool for enhancing sign-in security and protecting your organisation and its data against security threats. For more information, see the Salesforce Multi-Factor Authentication FAQs(Link opens in a new window) and Multi-Factor Authentication (MFA) Enforcement Roadmap(Link opens in a new window) in the Salesforce Help.
When you enable MFA, we require you do this through your single sign-on (SSO) identity provider (IdP). If you don’t work directly with an IdP, you can enable MFA with Tableau authentication using the Tableau with MFA capability.
Important: If you decide to use Tableau with MFA, review this topic in its entirety, especially Regain site access after being locked out.
User accounts and multi-factor authentication
Multi-factor authentication (MFA) is a secure account authentication method that requires users to prove their identity by providing two or more pieces of information, also known as “factors”, when they sign in to Tableau Cloud. The first factor is unique information your users know – their usernames and passwords. Additional factors are verification methods that users have in their possession, such as an authenticator app.
By enforcing multiple factors when users sign in to Tableau Cloud, MFA makes it more difficult for common threats like phishing attacks and account takeovers to succeed. MFA is an effective tool for enhancing sign-in security and protecting your organisation and its data against security threats.
Primary method - SSO with MFA: If you are currently using your organisation’s SSO IdP to enhance your security with MFA, you should continue to do so. If not, to satisfy the MFA requirement, configure your site to use SSO and enable MFA with your SSO IdP. You can configure your site users to authenticate with Google, Salesforce or SAML provider.
Alternative method - Tableau with MFA: If you don’t work directly with an SSO IdP, or if your site admins or other users use TableauID, you can satisfy the MFA requirement by enabling MFA with Tableau authentication to secure your user sign-in process until you’re able to transition to a more centralised IdP. This capability enables you and your users to continue signing in to Tableau Cloud with your TableauID credentials, with an additional step of using a verification method before being successfully authenticated to the site.
Tableau with MFA supports the following verification methods:
- Salesforce Authenticator app
- Time-based one-time passcode (TOTP) authenticator apps, including Google Authenticator, Microsoft Authenticator and Authy
- Security keys that support WebAuthn or U2F, such as Yubico YubiKey or Google Titan Security Key
- Built-in authenticators, including Touch ID, Face ID and Windows Hello
- Recovery code
Important: Security keys that support WebAuthn or U2F and built-in authenticators can't be used when authenticating to Tableau Cloud from Tableau Desktop, Tableau Prep Builder, Tableau Bridge and Tableau Content Migration Tool. If one of these verification methods has been registered, you (and your users) can register a different verification method from your My Account Settings page in Tableau Cloud.
To compare supported verification methods and review usage requirements, see Verification Methods for Multi-Factor Authentication(Link opens in a new window) topic in Salesforce Help.
If your organisation does not work directly with an SSO IdP, you can satisfy the MFA requirement with the default Tableau authentication. For more information, see About multi-factor authentication and Tableau Cloud.
Sign in to Tableau Cloud using your site admin credentials and go to the Users page.
Next to the first user listed, do the following:
Click on the Actions menu, select Authentication and then select Tableau with MFA.
Note: On sites activated before January 2023, MFA for site admin is part of the sign in experience and can't be changed.
- Click Update to save changes.
Repeat step 2 for each user listed, including site admins.
After users sign in to Tableau Cloud with their Tableau user name and password, they are prompted to choose a supported verification method – Salesforce Authenticator or other time-based, one-time passcode (TOTP) authenticator apps. For more information about the user process for registering and managing a verification method, see Register for multi-factor authentication.
Best practices for site admin accounts
When enabling MFA for your users, we recommended the following best practices for your site admin accounts:
Register a minimum of two verification methods: For each site admin account, register at least two verification methods to reduce the risk of being locked out of the site. For example, after you have registered a primary verification method, we recommend you add the Recovery Codes option to generate a set of recovery codes as backup.
Designate at least two site admin accounts to manage users and MFA: Designate at least two site admin-level accounts (Site Administrator Creator or Site Administrator Explorer) that have permissions to manage users and MFA settings. This can help prevent admin access delays if another admin is locked out of the site.
Manage verification methods
You (and your users) can manage verification methods from your My Account Settings page. After clicking the Manage MFA Verification Methods link, you can add or remove additional verification methods, including adding recovery codes.
About recovery codes - use in emergency situations only
To help reduce the risk of a locked-out scenario, we recommend you (and your users) add the Recovery Codes option as backup after registering for MFA. Recovery codes, to be used in emergency scenarios only, allow you to sign in to Tableau Cloud if you don't have access to your usual MFA verification methods. If you add the Recovery Codes option, a list of ten one-time use codes are generated for you that you can use to sign in to Tableau Cloud.
- Because the list of codes is not accessible after you've added the Recover Codes option, immediately copy and store these codes in a safe and secure location so that you can use them in emergency situations.
- Recovery codes should not be used as your primary verification method. Instead, recovery codes should be used in emergency scenarios only when you don’t have access to your usual MFA verification methods.
Important: We strongly recommend that you (and your users) register the Recovery Codes option to help avoid being locked out of your site. Recovery codes should be used in emergency scenarios only.
If you lose all your usual verification methods, contact another site admin to help you regain site access by using the procedure described below. You can use this procedure to enable site access for your users as well.
To enable site access, reset the MFA verification methods from the user's profile page in Tableau Cloud.
- Sign in to Tableau Cloud as a site admin.
- Navigate to the Users page and select the user who needs to regain access to the site.
- On the user's profile page, click the Settings tab and then click the Reset MFA Verifiers button.
Note: To see the Reset MFA Verifiers button, the user's authentication method must be set to Tableau with MFA.
After the MFA verification methods have been reset, contact the user and request that they follow the procedure described in Register for multi-factor authentication to register for MFA again.
Reset MFA as the only site admin
If you're the only site admin and you lose all your usual verification methods, you must contact your account manager. In order to regain access to Tableau Cloud, Tableau must manually confirm your identity and then reset the methods of verification. To help ensure a smooth account recovery process, keep the following in mind:
Tableau might use information from your TableauID profile (on Tableau.com(Link opens in a new window)) to validate who you are. Therefore, it’s important to keep your profile information, such as phone number, up to date. For more information about editing your TableauID profile, see the Changing your Name, Title or Email Address in the Tableau Community(Link opens in a new window) on the Tableau Community site.
- If you have Premium Support and require assistance on a weekend, you can file a Tableau Support case. For more information, see Submitting a Case from the Webform(Link opens in a new window) in the Tableau knowledge base.
For more information, see Tableau Cloud Reset Authenticator for Tableau ID with Multi-Factor Authentication(Link opens in a new window) in the Tableau knowledge base.