2FA Setup

Note: This process applies only to Mailgun-direct accounts. If you use Mailgun through services such as Rackspace or Heroku, 2FA and password resets would need to be handled via that service’s corresponding processes. You'll want to contact their support for assistance in such cases.

Enabling Two-Factor Authentication (also known as 2FA) is one of the best ways to secure your account from unauthorized access.  It requires two steps - two layers if you will - of authentication as an extra security buffer to ward off malicious actors.  As such, we recommend ensuring all users on the account take advantage of this important security measure.

Enabling 2FA

This is a quick, simple process that requires only two elements: 

• Something you know: as in, your account’s password
• Something you have: as in, a physical device, like your cell phone or computer

To start, you’ll need to choose a 2FA application for your physical device.  This application will generate a new 6-digit token (or code) every 60 seconds while the application is open, and it is this code that you will utilize while logging in to the Mailgun Control Panel.  There are a number of authentication applications, but a few solid options to consider include: 

• Google Authenticator
• LastPass Authenticator
• Windows Authenticator
• Authy Authenticator 

Once your 2FA application is installed on your physical device, it's time to activate 2FA on your Mailgun account. To start, log in to your Mailgun control panel.

Inside the Mailgun Control Panel (options displayed down the left-hand side on a dark column), use the following instructions:

1. Click on the Settings option on the left-hand side of the Mailgun dashboard.
2. On the resulting screen, scroll to the Authentication section -> 2FA option.
3. Click the Activate 2FA button, which will reveal the critical information detailed below!
• IMPORTANT: You'll first see a QR code, but, before proceeding, first scroll down and copy the 64-character paper key by clicking Download Key underneath the heading Download your account recovery "paper key." 
  • Ensure you store it in a secure location! 
  • This key is vital in recovering your account in the event that your 2FA device is lost, stolen, or malfunctioning!
• Open the authentication application installed earlier to add Mailgun as a new account.  This is accomplished in one of two ways (either is perfectly fine):
  • Scan the QR code displayed in your Mailgun Control Panel
  • Enter the 16-digit token beneath the QR code.
4. Once you've downloaded your paper key, stored it in a secure location, and used your device either to scan the QR code or enter the 16-digit token beneath it, click the Continue 2FA Activation button.  
   • Do not close this popup until 2FA has been successfully activated.
   • If the popup is closed before fully activating 2FA, remove the account from your device and restart step 2. 
5. Now that the Mailgun account has been added to the authentication application, verify that a 6-digit code appears that refreshes every 60 seconds.
6. The Mailgun Control Panel should now prompt you for a code.  Supply the 6-digit token (or code) from the authentication application on your physical device and click the Activate button. 
7. If the code was entered correctly, the popup will close and the screen will display a green Deactivate 2FA button.  No need to click it; we mention it only because it is an indicator that the 2FA setup was successful!

The next time you log in to the Mailgun Control Panel, you'll enter your email address and password as usual. However, an additional screen will prompt for the 6-digit code from your authentication application.

Enforcing 2FA For All Users On The Account

If you so choose, an admin user can enforce 2FA for all users on an account. In order to do so, the admin user must have 2FA already enabled on their own user.

Inside the Mailgun Control Panel (options displayed down the left-hand side on a dark column), use the following instructions:

1. Click on the Settings option on the left-hand side of the Mailgun dashboard.
2. On the resulting screen, within the Account settings section -> Force auth scheme option.
3. Click the Require TFA button.
4. In a popup form, you will be presented with 2 options before clicking the Save button:
   1. Clear all user sessions: This option will clear any currently active sessions (logged-in users) and will require all users to enable 2FA immediately.
   2. Allow user sessions to stay logged in: This option will allow users to continue in their currently active sessions and set up 2FA once their current sessions expire.  Upon the next login, all users will be directed to set up 2FA prior to being allowed to access the account.

If any questions arise, just reach out to our Support team via the Support option in your Mailgun control panel!