We're experiencing difficulty. Our engineers are on it. Please check status.mailgun.com for real-time updates.

Two-Factor Authentication (2FA)

Article Preview

    Overview

    Note: This process applies only to Mailgun-direct accounts. If you use Mailgun through services such as Rackspace or Heroku, 2FA and password resets would need to be handled via that service’s corresponding processes. You'll want to contact their support for assistance in such cases.

    Further, if your account utilizes Sinch Identity to login (screenshots of this process here and a Sinch ID badge will be on at least one of your users here), please refer to fifth step in this article. You will not want to perform any of the steps below if your account utilizes Sinch Identify, or your ability to login to your account will be broken. Only the accounts in our system that have not as of yet migrated to use Sinch Identity may use the below steps.

    Enabling Two-Factor Authentication (also known as 2FA) is one of the best ways to secure your account from unauthorized access.  It requires two steps - two layers if you will - of authentication as an extra security buffer to ward off malicious actors.  As such, we recommend ensuring all users on the account take advantage of this important security measure.

    There's two steps to 2FA setup:

    • Enabling 2FA for the account itself
    • Enabling 2FA for each (or all) users of the account

     

    Enabling 2FA on the account

    This is a quick, simple process that requires only two elements: 

    • Something you know: as in, your account’s password
    • Something you have: as in, a physical device, like your cell phone or computer

    To start, you’ll need to choose a 2FA application for your physical device.  This application will generate a new 6-digit token (or code) every 60 seconds while the application is open, and it is this code that you will utilize while logging in to the Mailgun Control Panel.  There are a number of authentication applications, but a few solid options to consider include: 

    Once your 2FA application is installed on your physical device, it's time to activate 2FA on your Mailgun account. We'll show you how to do this below:

    1. First, log in to the Mailgun Control Panel (if you have not already done so).
    2. Then, at the top-right corner of the page, click the Profile drop-down menu to expand its list of options.
    3. Next, click the Manage Account option. Alternatively, you can use this direct link
    4. On the resulting page and in the Mailgun settings section, click the Activate 2FA button for the Two-factor Authentication (2FA) setting.
    5. In the 2FA activation pop-up modal, you'll have a few options presented to you.
      1. IMPORTANT: We recommend, and the rest of these steps assume, downloading the "paper key" before proceeding with either the QR token or 16-digit token.
      2. Scan the QR code with your physical device (used on the next screen).
      3. Copy the 16-character token located beneath the QR code (used on the next screen).
      4. Download the 64-character account recovery "paper key".Screenshot
    6. Regarding the "paper key", click the Download Key button and store the .txt file in a secure location. This key is vital in recovering your account in the event that your physical device is lost, stolen, or malfunctioning!
    7. Continuing with the 2FA setup, either scan the QR code or copy the 16-character token, followed by clicking the Continue 2FA Activation button.  
      • Using your device, you'll scan the QR code with one of the authentication apps mentioned earlier in the article. Once you scan the barcode, the app will add the Mailgun account to your list of 2FA accounts on the physical device.
      • If you use the 16-character token instead, be sure to store it securely in a password manager.
      • Do not close this popup until 2FA has been successfully activated. If the popup is closed before fully activating 2FA, remove the account from your device and restart step 4. 
    8. In this 2nd screen of the 2FA activation pop-up modal, supply the 6-digit token from the authentication application on your physical device and click the Activate button. Alternatively, if you're using the 16-character token, supply it on this screen and click the Activate button.

    If successful, you'll be logged out of the Mailgun Control Panel and prompted to login once again. You may on this, and on subsequent logins, be prompted to enter the 6-digit token from your authentication application (or the 16-character token) -- depending on account and user session settings.

     

    Enabling 2FA for account users

    Configuring 2FA for a single account user

    After the account has 2FA enabled, the users must complete the process by configuring 2FA on their device for their control panel login. We'll show you how to do this below:

    1. First, log in to the Mailgun Control Panel (if you have not already done so).
    2. Then, at the top-right corner of the page, click the Profile drop-down menu to expand its list of options.
    3. Next, click the Users option. Alternatively, you can use this direct link
    4. On the resulting page and in the Control panel logins section, locate the row containing your user and click the Activate button towards the right-end of the row.
    5. In the 2FA activation pop-up modal, you'll have a few options presented to you.
      1. IMPORTANT: We recommend, and the rest of these steps assume, downloading the "paper key" before proceeding with either the QR token or 16-digit token.
      2. Scan the QR code with your physical device (used on the next screen).
      3. Copy the 16-character token located beneath the QR code (used on the next screen).
      4. Download the 64-character account recovery "paper key".Screenshot
    6. Regarding the "paper key", click the Download Key button and store the .txt file in a secure location. This key is vital in recovering your account in the event that your physical device is lost, stolen, or malfunctioning!
    7. Continuing with the 2FA setup, either scan the QR code or copy the 16-character token, followed by clicking the Continue 2FA Activation button.  
      • Using your device, you'll scan the QR code with one of the authentication apps mentioned earlier in the article. Once you scan the barcode, the app will add the Mailgun account to your list of 2FA accounts on the physical device.
      • If you use the 16-character token instead, be sure to store it securely in a password manager.
      • Do not close this popup until 2FA has been successfully activated. If the popup is closed before fully activating 2FA, remove the account from your device and restart step 4. 
    8. In this 2nd screen of the 2FA activation pop-up modal, supply the 6-digit token from the authentication application on your physical device and click the Activate buttonAlternatively, if you're using the 16-character token, supply it on this screen and click the Activate button.

    If successful, you'll be logged out of the Mailgun Control Panel and prompted to login once again. You may on this, and on subsequent logins, be prompted to enter the 6-digit token from your authentication application (or the 16-character token) -- depending on account and user session settings.

    Enforcing 2FA for all account users

    An Admin user (as long as they already have 2FA enabled on their own user) can enforce 2FA for all users on an account. We'll show you how to do this below:

    1. First, log in to the Mailgun Control Panel (if you have not already done so).
    2. Then, at the top-right corner of the page, click the Profile drop-down menu to expand its list of options.
    3. Next, click the Manage Account option. Alternatively, you can use this direct link
    4. On the resulting page and in the Mailgun settings section, click the Require TFA button for the Force User Auth Scheme setting.
    5. In a pop-up modal, you will be presented with 2 options to choose from before clicking the Save button:
      1. Clear all user sessions: This option will clear any currently active sessions (logged-in users) and will require all users to enable 2FA immediately.
      2. Allow user sessions to stay logged in: This option will allow users to continue in their currently active sessions and set up 2FA once their current sessions expire.  Upon the next login, all users will be directed to set up 2FA prior to being allowed to access the account.

     

    Need Support?

    Our Support Team here at Sinch Mailgun is happy to help! Reach out to us in the Support page of your Mailgun Control Panel, and we'll be with you shortly!