Note: This process applies only to Mailgun-direct accounts. If you use Mailgun through services such as Rackspace or Heroku, 2FA and password resets would need to be handled via that service’s corresponding processes. You'll want to contact their support for assistance in such cases.
Enabling Two-Factor Authentication (also known as 2FA) is one of the best ways to secure your account from unauthorized access. It requires two steps - two layers if you will - of authentication as an extra security buffer to ward off malicious actors. As such, we recommend ensuring all users on the account take advantage of this important security measure.
Enabling 2FA
This is a quick, simple process that requires only two elements:
- Something you know: as in, your account’s password
- Something you have: as in, a physical device, like your cell phone or computer
To start, you’ll need to choose a 2FA application for your physical device. This application will generate a new 6-digit token (or code) every 60 seconds while the application is open, and it is this code that you will utilize while logging in to the Mailgun Control Panel. There are a number of authentication applications, but a few solid options to consider include:
Once your 2FA application is installed on your physical device, it's time to activate 2FA on your Mailgun account. To start, log in to your Mailgun control panel.
Inside the Mailgun Control Panel:
- Navigate towards the top-right of the page next to your username, click the down-arrow, and then select the
Account
option. Alternatively, you can use this direct link. - On the resulting page, you will see various groups, or sections, of settings. In the
Authentication
section, locate the2FA
field. - Click the light grey
Activate 2FA
button, which will reveal the critical information detailed below!- IMPORTANT: You'll first see a QR code, but, before proceeding, first scroll down and copy the 64-character paper key by clicking
Download Key
underneath the heading Download your account recovery "paper key."- Ensure you store it in a secure location!
- This key is vital in recovering your account in the event that your 2FA device is lost, stolen, or malfunctioning!
- Open the authentication application installed earlier to add Mailgun as a new account. This is accomplished in one of two ways (either is perfectly fine):
- Scan the QR code displayed in your Mailgun Control Panel
- Enter the 16-digit token beneath the QR code.
- IMPORTANT: You'll first see a QR code, but, before proceeding, first scroll down and copy the 64-character paper key by clicking
- Once you've downloaded your paper key, stored it in a secure location, and used your device either to scan the QR code or enter the 16-digit token beneath it, click the
Continue 2FA Activation
button.- Do not close this popup until 2FA has been successfully activated.
- If the popup is closed before fully activating 2FA, remove the account from your device and restart step 2.
- Now that the Mailgun account has been added to the authentication application, verify that a 6-digit code appears that refreshes every 60 seconds.
- The Mailgun Control Panel should now prompt you for a code. Supply the 6-digit token (or code) from the authentication application on your physical device and click the
Activate
button. - If the code was entered correctly, the popup will close and the screen will display a light grey
Deactivate 2FA
button. No need to click it; we mention it only because it is one indication that the 2FA setup was successful!
The next time you log in to the Mailgun Control Panel, you'll enter your email address and password as usual. However, an additional screen will prompt for the 6-digit code from your authentication application.
Enforcing 2FA For All Users On The Account
If you so choose, an admin user can enforce 2FA for all users on an account. In order to do so, the admin user must have 2FA already enabled on their own user.
Inside the Mailgun Control Panel:
- Navigate towards the top-right of the page next to your username, click the down-arrow, and then select the
Account
option. Alternatively, you can use this direct link. - On the resulting page, you will see various groups, or sections, of settings. In the
Account settings
section, locate theForce user auth scheme
field. - Click the light grey
Require TFA
button. - In a popup form, you will be presented with 2 options before clicking the
Save
button:- Clear all user sessions: This option will clear any currently active sessions (logged-in users) and will require all users to enable 2FA immediately.
- Allow user sessions to stay logged in: This option will allow users to continue in their currently active sessions and set up 2FA once their current sessions expire. Upon the next login, all users will be directed to set up 2FA prior to being allowed to access the account.
If any questions arise, just reach out to our Support team via the Support option in your Mailgun control panel!