Note: This process applies only to Mailgun-direct accounts. If you use Mailgun through services such as Rackspace or Heroku, 2FA and password resets would need to be handled via that service’s corresponding processes. You'll want to contact their support for assistance in such cases.

Enabling Two-Factor Authentication (also known as 2FA) is one of the best ways to secure your account from unauthorized access.  It requires two steps - two layers if you will - of authentication as an extra security buffer to ward off malicious actors.  As such, we recommend ensuring all users on the account take advantage of this important security measure.

Enabling 2FA

This is a quick, simple process that requires only two elements: 

• Something you know: as in, your account’s password
• Something you have: as in, a physical device, like your cell phone or computer

To start, you’ll need to choose a 2FA application for your physical device.  This application will generate a new 6-digit token (or code) every 60 seconds while the application is open, and it is this code that you will utilize while logging in to the Mailgun Control Panel.  There are a number of authentication applications, but a few solid options to consider include: 

• Google Authenticator
• LastPass Authenticator
• Windows Authenticator
• Authy Authenticator 

Once your 2FA application is installed on your physical device, it's time to activate 2FA on your Mailgun account. We'll show you how to do this below:

1. First, log in to the Mailgun Control Panel (if you have not already done so).
2. Then, at the top-right corner of the page, click the Profile drop-down menu to expand its list of options.
3. Next, click the Account option. Alternatively, you can use this direct link. 
4. On the resulting page and in the Authentication section, click the Activate 2FA button for the 2FA setting.

5. In the pop-up modal, enter the 6-digit 2FA code that we sent to you or that is contained in your Authentication application, and then click the Deactivate 2FA button, which will reveal the critical information detailed below!

   • IMPORTANT: You'll first see a QR code, but, before proceeding, first scroll down and copy the 64-character paper key by clicking Download Key underneath the heading Download your account recovery "paper key." 
     • Ensure you store it in a secure location! 
     • This key is vital in recovering your account in the event that your 2FA device is lost, stolen, or malfunctioning!
   • Open the authentication application installed earlier to add Mailgun as a new account.  This is accomplished in one of two ways (either is perfectly fine):
     • Scan the QR code displayed in your Mailgun Control Panel
     • Enter the 16-digit token beneath the QR code.
6. Once you've downloaded your paper key, stored it in a secure location, and used your device either to scan the QR code or enter the 16-digit token beneath it, click the Continue 2FA Activation button.  
   • Do not close this popup until 2FA has been successfully activated.
   • If the popup is closed before fully activating 2FA, remove the account from your device and restart step 2. 
7. Now that the Mailgun account has been added to the authentication application, verify that a 6-digit code appears that refreshes every 60 seconds.
8. The Mailgun Control Panel should now prompt you for a code.  Supply the 6-digit code from the authentication application on your physical device and click the Activate button. 
9. If the code was entered correctly, the pop-up modal will close and the screen will display a Deactivate 2FA button.  No need to click it; we mention it only because it is one indication that the 2FA setup was successful!

The next time you log in to the Mailgun Control Panel, you'll enter your email address and password as usual. However, an additional screen will prompt for the 6-digit code from your authentication application.

Enforcing 2FA For All Users On The Account

If you so choose, an admin user can enforce 2FA for all users on an account. In order to do so, the admin user must have 2FA already enabled on their own user. We'll show you how to do this below:

1. First, log in to the Mailgun Control Panel (if you have not already done so).
2. Then, at the top-right corner of the page, click the Profile drop-down menu to expand its list of options.
3. Next, click the Account option. Alternatively, you can use this direct link. 
4. On the resulting page and in the Account settings section, click the Require TFA button for the Force User Auth Scheme setting.
5. In a pop-up modal, you will be presented with 2 options before clicking the Save button:
   1. Clear all user sessions: This option will clear any currently active sessions (logged-in users) and will require all users to enable 2FA immediately.
   2. Allow user sessions to stay logged in: This option will allow users to continue in their currently active sessions and set up 2FA once their current sessions expire.  Upon the next login, all users will be directed to set up 2FA prior to being allowed to access the account.

Mailgun by Sinch has answers! If you have any concerns or questions, please send us a Support ticket using the Support page within your Mailgun Control Panel.  Our Support Team will be happy to assist!