多要素認証 (MFA)

概要

Multi-Factor Authentication (MFA), or Two-Factor Authentication (2FA) requires a user to present more than one type of verification to authenticate to a system. MFA defends against the majority of password-related attacks, including brute-force, credential stuffing, and password spraying.

機能

  • MFA for native Datadog accounts: MFA is available as an extra layer of security during login for accounts that log into Datadog directly using an email and password. Native email/password accounts are more vulnerable to attack than accounts maintained through an identity provider.
  • Opt-in MFA: MFA is available for end users as an optional feature. Enable MFA at any time through your personal settings.
  • Authenticator apps: Any authenticator app that supports time-based one-time password (TOTP) authentication can be used for MFA. Examples include Microsoft Authenticator, Google Authenticator, Authy, and Duo.

制限

  • MFA is not available for accounts using Single Sign-On (SSO) only. To use MFA with SAML and Google Auth, configure it through your Identity Provider (IdP).
  • MFA does not protect against all types of attacks. For example, if an attacker has access to your email, they may be able to turn off MFA and compromise your account.
  • MFA supports at most one authenticator app.

前提条件

アカウントに MFA を構成するには、メールとパスワードを使用してログインします。SSO を使用してログインしたユーザーには、MFA 構成オプションは表示されません

Configure MFA for your user account

To find the Password & Authentication page:

  1. Ensure you are logged in with a username and password combination, not through SSO.
  2. Navigate to Personal Settings from your account menu.
  3. Under Security, select Password & Authentication.

The multi-factor authentication section lists any configured authenticator apps.

  1. Next to Authenticator App, select Add.
  2. Follow your authenticator app’s documentation for instructions on adding a new QR code.
  3. Enter the latest code generated by your authenticator app into the prompt to confirm the device was set up correctly.
  4. Save a copy of the recovery codes in a secure location. The codes cannot be retrieved after setup is complete.

ユーザーの MFA ステータスを確認する

ユーザが MFA を設定しているかどうかを確認するには、Users テーブルでフィルタリングします。MFA ステータスは、ユーザー詳細パネルでも確認できます。

ユーザー詳細ページに MFA ステータスが表示され、この例ではユーザーが MFA を設定していることを示している

MFA recovery

If you don’t have access to your authenticator app, during the login process you can use a recovery code instead of a one-time password. Each of the recovery codes can only be used once.

  1. Navigate to the login page.
  2. Enter your email address and password, then select Log in.
  3. Select Don’t have access to your authenticator?
  4. Enter one of your unused recovery codes and click Verify.

MFA rescue

If you don’t have access to your authenticator app or recovery codes, during the login process you can request a one-time recovery link via email.

  1. Navigate to the login page.
  2. Enter your email address and password, then select Log in.
  3. Select Don’t have access to your authenticator?
  4. Select Don’t have access to your recovery codes? Get a one time recovery link via email.
  5. Check your email inbox for a message with the subject line “Recovery link for logging into your Datadog account.”
  6. Select the Log in to Datadog link to finish logging into your account.

If you have lost access to your registered authenticator app, Datadog recommends that you remove the lost device and add a new one. Maintaining a valid authenticator app helps prevent issues logging into your account in the future.

PREVIEWING: esther/docs-8632-slo-blog-links