Skip to main content

Configure multi-factor authentication

This article shows how to enforce multi-factor authentication (MFA) using Databricks. MFA using Databricks can only be enabled when single sign-on is not configured. When single sign-on is enabled, Databricks recommends configuring MFA using your organization’s identity provider, see Configure SSO in Databricks.

Preview

This feature is in Public Preview.

Configure a MFA requirement for your account

There are three options for configuring MFA using Databricks:

  • Recommended (default): All the users in this account are recommended to configure MFA on login. Users can choose to skip MFA registration and the MFA recommendation will be snoozed for 2 weeks.

  • Required: MFA is required for all Databricks users. Users must configure MFA upon login in order to authenticate to Databricks.

  • Disabled: MFA is disabled for the account. MFA cannot be disabled if a one-time passcode is an enabled sign-in option.

    If single sign-on is enabled, Databricks MFA is disabled by default and cannot be updated. When single sign-on is enabled, Databricks recommends configuring MFA using your organization’s identity provider. See Configure SSO in Databricks.

Account admins can configure MFA requirements in the account console in Settings > Authentication.

Configure MFA options.

Account admins can view individual users’ MFA enrollment status on the Users page in the account console.

View users MFA status.

Grant a user an exception to bypass MFA

If a user loses their MFA device and cannot log in to Databricks, an account admin can grant a temporary MFA bypass exception. To do this, navigate to the user from the User Management page in the account console and enable the exception. Once the exception is granted, the user can log in without MFA for up to two weeks. During this period, the user must register a new MFA method.

Grant an MFA exception.

Configure a MFA method

When MFA is set to recommended or required, users are prompted to configure MFA during their next login. Users can configure MFA using a passkey or security key, or an authenticator app. Users can configure additional sign-in methods in Databricks.

Databricks strongly recommends using a passkey or security key. For a list of supported passkeys and security keys, see Multi-factor authentication methods.

Register a passkey or security key

  1. Log in to the account console.

  2. Click your username in the top bar and select User preferences.

  3. Next to Multi-factor authentication, click Register sign-in method.

  4. Select Passkey or security key and click Continue.

  5. Follow the prompts on your browser. For example to register a security key in Google Chrome:

    1. Click Use a phone, tablet, or security key.

    2. Use your device to scan the QR code on the screen or insert and touch your security key.

      Register a security key.

Register an authenticator app

  1. Log in to the account console.

  2. Click your username in the top bar and select User preferences.

  3. Next to Multi-factor authentication, click Register sign-in method.

  4. Select Authenticator app and click Continue.

  5. Open your authenticator app and scan the QR code on the screen.

  6. Enter the 6-digit confirmation code from your authentication app and click Continue.

    Register an authenticator app.

Last updated on