Manage Multi-Factor Authentication with FIDO2 for Local User Accounts on Confluent Cloud

You can enhance the security of your Confluent Cloud resources by using multi-factor authentication with FIDO2 (MFA with FIDO2) for your local user accounts in Confluent Cloud organizations. MFA with FIDO2 adds an additional layer of security to your Confluent Cloud resources and further reduces the risk of account compromise.

  • MFA with FIDO2 is available and optional for all local user accounts, but an OrganizationAdmin can require MFA for all local user accounts in their Confluent Cloud organization.
  • Local user accounts can sign in to Confluent Cloud using MFA with FIDO2 using either the Confluent Cloud Console or the Confluent CLI.

MFA with FIDO2 overview

MFA with FIDO2 on Confluent Cloud supports the use of the FIDO2 (Fast Identity Online 2) authentication protocol to provide a stronger authentication method than just a password alone. FIDO2 combines the use of the W3C Web Authentication (WebAuthn) standard and the Client to Authenticator Protocol (CTAP) standard to enable strong authentication over the internet. FIDO2 uniquely combines “something you know” + “something you are”, typically requiring either a separate trusted device (from the device being signed into) or both a trusted device and biometric confirmation. This makes FIDO2 a stronger option for MFA than one-time passwords or authenticator apps.

MFA with FIDO2 on Confluent Cloud provides the following benefits:

  • Passwordless authentication based on FIDO2 as the second factor of authentication, with support for the following options:
    • Security key: A physical authenticator that gets plugged into a device. Examples of security keys include YubiKeys and FIDO2-compatible security keys.
    • Biometric authenticator: Built-in device authenticator features that use your physical characteristics (such as a fingerprint or a face scan) to verify your identity on the current device. Biometric authentication is limited to the current device only and uses your physical characteristics for verification. Examples of biometric authenticators include Touch ID and Face ID on Apple devices and Windows Hello on Windows devices.
    • Passkey: A passwordless authentication method that stores credentials that can be synced across your devices. Passkeys can use a separate trusted device, such as a phone or tablet, for authentication. On Apple devices, for example, biometric Touch ID and Face ID are supported to unlock passkeys stored on the device.
  • Standardized authentication across different devices and browsers.
  • Phishing resistance because the security key or biometric authenticator is not a password and cannot be intercepted.

How FIDO2 defends against phishing attacks

FIDO2 authentication uses public-private key cryptography to defend against phishing attacks. Unlike passwords or one-time codes, which can be intercepted or stolen, FIDO2 uses a cryptographic binding between the credentials and Confluent Cloud to make FIDO2 authentication resistant to phishing attacks.

  • During enrollment, the security key, passkey, or biometric authenticator generates a unique public-private key pair for each website or service.
  • The private key never leaves the authenticator and is stored securely on the user’s device.
  • The public key is registered with Confluent Cloud and associated with your account.
  • Each authentication request includes the website’s domain, which is verified by the authenticator. This means:
    • If a phishing site attempts to impersonate Confluent Cloud, the authenticator detects that the domain doesn’t match and refuses to use the correct private key.
    • The private keys are specific to Confluent Cloud, so even if a user is tricked into visiting a malicious site, their Confluent Cloud credentials cannot be stolen or reused.

MFA with FIDO2 flow

The following steps summarize the authentication flow for a local user account on Confluent Cloud when MFA is enabled.

  1. Initial Setup:
    • The local user registers a security key, passkey, or biometric authenticator. This can occur from the user settings page in the Confluent Cloud Console or when signing in if MFA is required for the Confluent Cloud organization administrator.
    • During registration, a unique public-private key pair is generated.
  2. Authentication Flow:
    1. The local user signs in to Confluent Cloud using their password.
    2. A web browser dialog appears to verify the local user’s identity.
    3. The local user completes the MFA challenge by using their security key, passkey, or biometric authenticator.
    4. The authenticator:
      • Verifies the domain matches Confluent Cloud
      • Uses the private key to generate a signed response
      • Returns the response to Confluent Cloud
    5. Confluent Cloud validates the signature using the stored public key and grants access.

Requirements

The following requirements must be met to use MFA with FIDO2 on Confluent Cloud:

  • A local user account with a password, even if your Confluent Cloud organization does not require MFA. Confluent Cloud organizations are strongly encouraged to require MFA for all local user accounts.
    • SSO user accounts are not supported.
    • Local users accounts using Sign-in with Google or Sign-in with GitHub are not supported.
  • A second factor of authentication, using a biometric authenticator, a physical security key, or a passkey on a separate trusted device. Optionally, you can use a FIDO2-supported password manager. For details, see Use MFA with FIDO2 with password managers.
  • A supported web browser. FIDO2 authentication is supported in all major modern browsers (Chrome, Firefox, Safari, Edge). To verify support for your specific browser and device combination, see:

To enforce MFA for an Confluent Cloud organization, you must have the OrganizationAdmin role.

Limitations

MFA with FIDO2 on Confluent Cloud has the following limitations:

  • A local user account can only have one MFA enrollment per device type (one laptop, one smartphone, or one physical security key).
  • For biometric authentication, web browsers must have JavaScript enabled and support WebAuthn.
  • For security key or passkey authentication, on Mac, the WebAuthn platform authenticator is registered at the browser level. An MFA device enrolled from one browser might not work on another browser.
  • On Windows, the WebAuthn platform authenticator is registered at the operating system level. Users can enroll with one browser and login with any browser.
  • If a local user account has MFA set up and attempts to sign-in to Confluent Cloud or the Confluent Support portal on a web browser that is not capable of challenging the enrolled MFA device, then the sign-in attempt will fail.

Enroll in MFA with FIDO2 for your local user account

If you have a local user account with a password, you can enroll in MFA with FIDO2, even if it is not enforced for the Confluent Cloud organization.

To enroll in MFA:

  1. Sign in to the Confluent Cloud Console using a password.

    Note: If MFA is required for your Confluent Cloud organization and you are within the 30-day grace period, the Set up MFA with biometric or security key page displays, with information about the benefits of using MFA.

  2. Click Enable MFA. Optionally, you can click Remind me later to sign in without enrolling in MFA and defer enrollment for up to thirty days.

  3. Open the sidebar menu and click your username. The Confluent Cloud user settings page displays.

  4. Scroll to the Multi-Factor Authentication section and click Add a device.

    The Secure your account dialog displays.

  5. Choose a method to use for an additional authentication factor, follow the steps to enroll, and then click Enroll.

    Passkey or security key: You can use a passkey (on a phone or tablet) or a physical security key that is connected to your device.

    Biometric authenticator: You can use built-in biometric device features, such as Touch ID or Windows Hello.

  6. Click Enroll. Follow the steps on the web browser to enroll in MFA.

After you enroll in MFA, in subsequent sign-ins, you must sign in to Confluent Cloud using the MFA method you selected. After you sign in with your password, you are prompted to use your security key, passkey, or biometric authenticator for your second factor.

Use MFA with FIDO2 with password managers

A password manager is a secure application that stores and manages your passwords, passkeys, and other authentication credentials. Password managers help you create strong, unique passwords and securely store them, eliminating the need to remember multiple complex passwords. Popular password managers include 1Password, LastPass, and Bitwarden. When you enroll a passkey for MFA with FIDO2 using a password manager, the passkey is saved to your web browser and the Confluent Cloud authentication system.

Because of how passkeys are managed at the browser level, you might see prompts to verify an existing passkey or to create a new passkey, even if you are attempting to enroll a new MFA method.

What to do

  • If you want to store a passkey in your password manager, follow the prompt and complete the setup.
  • If you do not want to use your password manager for enrolling a new MFA method, dismiss the prompt and continue enrolling the new MFA method following the Confluent Cloud MFA enrollment flow.
  • A device registration error message might appear when you attempt to use an existing Confluent Cloud passkey on your password manager if it already has a previously saved Confluent Cloud sign-in credential as a passkey. To ensure MFA with FIDO2 compatibility when you use a passkey from your password manager, you must be enrolled from a Confluent MFA screen (during sign-in or in your user account MFA settings).

Require MFA with FIDO2 for your organization

An administrator with the OrganizationAdmin role can require the use of MFA with FIDO2 for all local user accounts in your Confluent Cloud organization.

  • All local user accounts in your Confluent Cloud organization receive an email notification that MFA has been enabled and that they have 30 days to enroll in MFA. Until the enrollment deadline date, users can either enroll in MFA or continue deferring enrollment.
  • After the 30-day deadline date, all users must enroll in MFA to sign in to Confluent Cloud.

To require MFA for all local user accounts in your Confluent Cloud organization:

  1. Go to the Confluent Cloud Console and open the sidebar menu. Click Organization settings.

    The Confluent Cloud organization settings page displays.

  2. In the Require Multi-Factor Authentication (MFA) section, click the radio button.

    The Require Multi-Factor Authentication (MFA) dialog displays.

  3. To require MFA for all users, click Turn on.

    The Require Multi-Factor Authentication (MFA) on the organization settings page now shows that MFA is On and the enrollment deadline.

    Until the enrollment deadline date, users can either enroll in MFA or continue deferring enrollment. After the enrollment deadline date, all users must enroll in MFA to sign in to Confluent Cloud.

    To reset the 30-day enrollment deadline date, toggle the Require Multi-Factor Authentication (MFA) option off and then back on. A new enrollment deadline date is displayed and new email notifications are sent to your users.

Recover a local user account with MFA

If you attempt to sign in to Confluent Cloud with MFA and are unable to verify your identity because you lost access to your MFA methods, you can recover your account by using the following options:

Self-service recovery

After you sign in to Confluent Cloud using your password, the option to recover your account option displays.

  1. Click Recover your account.

    The Reset your MFA methods dialog displays.

  2. Click Send reset email.

    Note that the link to reset your MFA is only active for 1 hour.

    The Recover email sent dialog appears with information about following the instructions in the email to recover your account or to contact support.

  3. In the email message, click Reset MFA.

    The Confluent Cloud Console displays with a message that your MFA authentication reset successfully.

  4. Sign in to Confluent Cloud using your password.

    The Set up MFA with biometric or security key page displays. You can continue without re-enabling MFA or click Enable MFA to re-enable MFA.

Contact Confluent Support

If you cannot recover your account using self-service recovery and need assistance, contact Confluent Support.

Related content