Skip to main content

Overview

Xloud Identity supports TOTP-based (Time-based One-Time Password) multi-factor authentication for user accounts. Enabling MFA adds a second verification step — a rotating 6-digit code generated by an authenticator app — beyond the user’s password. MFA significantly reduces the risk of account compromise from credential theft.
Prerequisites
  • An active Xloud account with appropriate permissions
  • Access to the Xloud Dashboard (https://connect.<your-domain>) or CLI configured with credentials
  • API credentials sourced (source admin-openrc.sh)
Requirements
  • A compatible authenticator application: Google Authenticator, Authy, 1Password, or any RFC 6238-compliant TOTP app
  • The user account must be active and have a valid password before enrolling MFA

Enroll a TOTP Device

Access MFA settings

Log in to the Xloud Dashboard (https://connect.<your-domain>). Navigate to Identity → Users, open your user profile, and select the Multi-Factor Authentication tab.

Add a TOTP credential

Click Add TOTP Credential. A QR code is displayed.Open your authenticator app and scan the QR code. The app generates a new 6-digit code every 30 seconds.

Verify enrollment

Enter the current 6-digit code from your authenticator app and click Verify.
MFA is active on your account. Future logins require both your password and a valid TOTP code from your enrolled device.

Save recovery information

Store your backup codes in a secure location (password manager or offline storage). If your authenticator device is lost, contact your administrator to reset the MFA enrollment on your account.

Authenticate with MFA

Once MFA is enabled, every login requires the TOTP code in addition to the password.
On the login page, enter your username and password as usual. A second prompt appears requesting the TOTP code from your authenticator app. Enter the current 6-digit code and click Sign In.
TOTP codes are valid for 30 seconds. If you enter an expired code, wait for the next code to appear in your authenticator app and try again.

Remove MFA Enrollment

Navigate to Identity → Users → Multi-Factor Authentication. Click Delete next to the enrolled TOTP credential to remove MFA from your account.
Removing MFA from an account reduces its security posture. Only remove MFA if you are re-enrolling with a new device or have been instructed to do so by your administrator.

MFA Best Practices

Require MFA for administrative accounts

All accounts with the admin role should have MFA enforced. Platform administrators can configure an MFA enforcement policy via the Identity service to block admin token issuance without a valid TOTP factor. See the Identity Admin Guide for policy configuration.
Automation pipelines should never depend on interactive MFA. Use application credentials for CI/CD systems and service accounts — these bypass MFA by design and provide explicit expiry and access rule controls.
Establish a recovery procedure before users lose access to their authenticator device:
  • Store backup codes in a password manager at enrollment time
  • Designate an administrator contact who can reset MFA enrollments
  • Document the reset process in your team’s runbook

Next Steps

Application Credentials

Generate automation credentials that bypass MFA for CI/CD pipelines.

Users

Manage the user accounts on which MFA is enrolled.

Identity Admin Guide — Security

Configure MFA enforcement policies and security hardening for the platform.

Troubleshooting

Resolve MFA authentication failures and device enrollment issues.