Multi-Factor Authentication and Tableau Online
As part of the broader Salesforce ecosystem(Link opens in a new window), we encourage you, site owners, to configure account security mechanisms for you and your users. The way you can enable account security depends on which technologies are available to you in your organization, such as multi-factor authentication (MFA). We recommend you enable MFA through your single sign-on (SSO) identity provider (IdP). If you don’t work directly work with an IdP, you can enable MFA with Tableau authentication using the Tableau with MFA capability.
- If you decide to use Tableau with MFA, review this topic in its entirety, especially Regain site access after being locked out.
- In order to get ahead of the rise and constantly evolving threats that can cripple an organization, MFA authentication will be a Tableau Online requirement beginning February 1, 2022. MFA is an effective tool for enhancing sign-in security and protecting your organization and its data against security threats. For more information, see the Salesforce Multi-Factor Authentication FAQ(Link opens in a new window) in Salesforce Help.
User accounts and multi-factor authentication
Multi-factor authentication (MFA) is a secure account authentication method that requires users to prove their identity by providing two or more pieces of information, also known as “factors”, when they sign in to Tableau Online. The first factor is unique information your users know—their usernames and passwords. Additional factors are verification methods that users have in their possession, such as an authenticator app.
By enforcing multiple factors when users sign in to Tableau Online, MFA makes it more difficult for common threats like phishing attacks and account takeovers to succeed. MFA is an effective tool for enhancing sign-in security and protecting your organization and its data against security threats.
Primary method - SSO with MFA: If you are currently using your organization’s SSO IdP to enhance your security with MFA, you should continue to do so. If not, we strongly encourage you to configure your site to use SSO and enable MFA with your SSO IdP. You can configure your site users to authenticate with Google, Salesforce, or SAML provider.
Secondary method - Tableau with MFA: If you don’t work directly with an SSO IdP, you can satisfy the MFA requirement by enabling MFA with Tableau authentication to secure your user sign-in process until you’re able to transition to a more centralized IdP. This capability enables you and your users to continue signing in to Tableau Online with your TableauID credentials, with an additional step of using a verification method before being successfully authenticated to the site.
Tableau with MFA supports the following verification methods:
- Salesforce Authenticator app
- Time-based one-time passcode (TOTP) authenticator apps, including Goolge Authenticator, Microsoft Authenticator, and Authy
- Recovery code
To compare supported verification methods and review usage requirements, see Verification Methods for Multi-Factor Authentication(Link opens in a new window) topic in Salesforce Help.
Enable MFA with Tableau authentication
If your organization does not work directly with an SSO IdP, you can satisfy the MFA requirement with the default Tableau authentication. For more information, see About multi-factor authentication and Tableau Online.
Sign in to Tableau Online using your site admin credentials and go to the Users page.
Next to the first user listed, do the following:
Click the Actions menu, select Authentication, and then select Tableau with MFA.
- Click Update to save changes.
Repeat step 2 for each user listed, including site admins.
After users sign in to Tableau Online with their Tableau username and password, they are prompted to choose a supported verification method—Salesforce Authenticator or other time-based one time passcode (TOTP) authenticator apps. For more information about the user process for registering and managing a verification method, see Register for multi-factor authentication.
Best practices for site admin accounts
When enabling MFA for your users, we recommended the following best practices for your site admin accounts:
Register a minimum of two verification methods: For each site admin account, register at least two verification methods to reduce the risk of being locked out of the site. For example, after you have registered a primary verification method, we recommend you add the Recovery Codes option to generate a set of recovery codes as backup.
Designate at least two site admin accounts to manage users and MFA: Designate at least two site admin-level accounts (Site Administrator Creator or Site Administrator Explorer) that have permissions to manage users and MFA settings. This can help prevent admin access delays if another admin is locked out of the site.
Manage verification methods
You (and your users) can manage verification methods from your My Account Settings page. On this page, you can add or remove additional verification methods.
About recovery codes
To help reduce the risk of a locked-out scenario, we recommend you (and your users) add Recovery Codes option as backup after registering for MFA. Recovery codes allow you to sign in to Tableau Online if you don't have access to your usual MFA verification methods. If you add the Recovery Codes option, a list of ten one-time use codes are generated for you that you can use to sign in to Tableau Online.
Important: Because the list of codes are not accessible after you've added the Recover Codes option, immediately copy and store these codes in a safe and secure location so that you can use them in emergency situations.
Important: We strongly recommend that you (and your users) register the Recovery Codes option to help avoid being locked out of your site.
If you (or your users) lose all usual verification methods, you must file a case with Tableau Support. In order to regain access to Tableau Online, Tableau Support must manually confirm your identity and then reset the method of verification. To help ensure a smooth account recovery process, keep the following in mind:
Tableau Support is available only during regular business hours(Link opens in a new window) (no weekends) in your region. The hours might vary if you’re a Premium Support customer.
Tableau Support might use information from your TableauID profile (on Tableau.com(Link opens in a new window)) to validate who you are. Therefore, it’s important to keep your profile information, such as phone number, up to date. For more information about editing your TableauID profile, see the Changing your Name, Title or Email Address in the Tableau Community(Link opens in a new window) on the Tableau Community site.
To file a Tableau Support case, see the Submitting a Case from the Webform(Link opens in a new window) in the Tableau knowledge base.