Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.xloud.tech/llms.txt

Use this file to discover all available pages before exploring further.

Overview

Xloud Identity supports TOTP-based (Time-based One-Time Password) multi-factor authentication for user accounts. Enabling MFA adds a second verification step — a rotating 6-digit code generated by an authenticator app — beyond the user’s password. MFA significantly reduces the risk of account compromise from credential theft.
Prerequisites
  • An active Xloud account with appropriate permissions
  • Access to the Xloud Dashboard or CLI configured with credentials
  • API credentials sourced (source openrc.sh)
Requirements
  • A compatible authenticator application: Google Authenticator, Authy, 1Password, or any RFC 6238-compliant TOTP app
  • The user account must be active and have a valid password before enrolling MFA

Video Walkthrough

Enroll a TOTP Device

The Dashboard has a self-service enrollment flow in User Center → Security (2FA). Open the profile menu in the top-right, pick Security (2FA), click Enable 2FA, scan the QR with any authenticator app, verify the 6-digit code, and save the recovery codes.For the full step-by-step walkthrough, see the User Center guide.

Authenticate with MFA

Once MFA is enabled, every login requires the TOTP code in addition to the password.
On the login page, enter your username and password as usual. A second prompt appears requesting the TOTP code from your authenticator app. Enter the current 6-digit code and click Sign In.
TOTP codes are valid for 30 seconds. If you enter an expired code, wait for the next code to appear in your authenticator app and try again.

Remove MFA Enrollment

Open User Center → Security (2FA), click Disable 2FA, and confirm with a current 6-digit code from your authenticator (or a recovery code if you have lost the authenticator). Full walkthrough in the User Center guide.
Removing MFA reduces account security — only do so when you are about to re-enroll with a new authenticator device.

MFA Best Practices

Require MFA for administrative accounts

All accounts with the admin role should have MFA enforced. Platform administrators can configure an MFA enforcement policy via the Identity service to block admin token issuance without a valid TOTP factor. See the Identity Admin Guide for policy configuration.
Automation pipelines should never depend on interactive MFA. Use application credentials for CI/CD systems and service accounts — these bypass MFA by design and provide explicit expiry and access rule controls.
Establish a recovery procedure before users lose access to their authenticator device:
  • Store backup codes in a password manager at enrollment time
  • Designate an administrator contact who can reset MFA enrollments
  • Document the reset process in your team’s runbook

Next Steps

Application Credentials

Generate automation credentials that bypass MFA for CI/CD pipelines.

Users

Manage the user accounts on which MFA is enrolled.

Identity Admin Guide — Security

Configure MFA enforcement policies and security hardening for the platform.

Troubleshooting

Resolve MFA authentication failures and device enrollment issues.