Teaching How to enforce MFA with Anypoint Platform

MuleSoft recently announced native support for Multi-factor Authentication (MFA) to log into the Anypoint Platform. Before then, it was still possible, but we had to rely on third party security software, like Okta. Although Okta is awesome, the downside of that option was that customers had to adopt yet another technology and potentially additional costs. Now, it is all seamless and part of the Anypoint platform.

In this blog, I am going to show you how to get started with MFA in Anypoint Platform, including the different mechanisms available to enforce/exempt MFA for individual accounts e.g. system accounts, as well as in how to enforce it for the full organisation.

Pre-requisites

In order to complete this exercise, it is expected that you:

• Have access to MuleSoft Anypoint platform account – If not, you can subscribe for free here.
• You are the Anypoint Organization Administrator.
• If you need further information, the official MuleSoft documentation for Multi-factor Authentication is here.
• If you are new to MuleSoft and want to have a full overview first, have a stop here.

Enabling MFA for individual accounts

By default MFA is not enabled in Anypoint Platform. It is marked as “Optional”, which means that “Users may choose to enable MFA individually from their profile page”. Let’s do it.

• Login to your Anypoint Platform
• Go to the top right corner and click on your initials icon
• Click on Profile

• Click on the Configure multi-factor authentication (MFA) link

• There are various verification methods. At the moment of writing this blog it has the following ones:

• One-Time Password Generator: This is what we call “a time-based one-time password (TOTP) app”. There are tons of options out there. The idea is that you install one of these apps in your mobile and after you set it up, it will generate a temporary passcode that you need to enter each time that you want to login into the Anypoint Platform. To register a TOTP app is very simple, just click Add on this option, have your TOTP install and ready to scan a QR code, add a verification code and that’s it, you are all set.

• Built-in Authenticator: These are physical authenticator devices , such as Touch ID or Windows Hello. This is one of my favourite authentication methods, because I have a MacBook Pro with an in-built fingerprint scanner. The process is simple:

• In order to add this authentication method, click Add and then Register. It will automatically let you add a biometric device, which in this case it knows that my laptop has an in-built fingerprint scanner, so it prompts for my finger. Once I put my finger on it, it completes the process.

• As with any other method, once you select and configure this approach. You should receive an email letting you know about it.

• Then,  next time that you want to login into Anypoint Studio, after you enter the credentials, it will also ask you to provide your fingerprint to complete the MFA step. Pretty cool huh?  

• The only downside that I see with this approach is that it stops you from accessing your Anypoint account from any other computer, which perhaps it is what you want from a security point of view. For this, I always recommend registering more than one authentication method, so that if one day you need urgent access from another laptop, you can authenticate via another method. I will explain more about this later in this section.

• Security Key:  This requires an actual USB security key, such as Yubico YubiKey. Once you click Add, it will ask you to insert the security key to register it.

I remember that this approach used to be the standard way to authenticate not that long ago. It is still widely used in many places, but luckily for me,  I have not had to follow this approach in recent years.  I remember I was always carrying my USB key to connect to VPNs and other systems. The problem is when you are in the office and you forget your USB key at home.  These days, it is definitely harder to forget your mobile or your finger at home. =)

• Salesforce Authenticator:  This is also one of my favorite methods. The Salesforce Authenticator app is awesome, lets me have tons of accounts registered in the same app, from work related to personal accounts. All from one place and same approach. No need to enter SMS numbers, nor passcodes or anything else. It simply prompts to tap and approve!  I definitely recommend this app. 

• The approach is also very similar. After you click Add, it will ask you to enter a Two-Word Phrase that is generated by the Salesforce Authenticator when adding a new account  on the app (assuming that you already downloaded and installed it on your mobile).
• Once you enter the two-word phrase, click Connect.

• It will also send you an email to let you know that you registered a new authentication method with your Anypoint account.

And that’s pretty much it! Similarly how we  added an authentication method, we can always remove it from the list:

What if you are a top Anypoint Platform organisation administrator?

If you are an organisation administrator, I would recommend that you register at least 2 methods for authentication. For example, in my case I like having both Built-in Authentication as well as the Salesforce Authentication. That way, if one day anything goes wrong, and trust me, those days always come, you can swap the authentication method and still be able to log in.

The process is simple, when you are logging into Anypoint Platform and realise that you cannot proceed with one authentication method, for example, because you lost your mobile and cannot have it with you to approve the Salesforce Authentication request, you can always:

• Click on Choose Another Verification Method

• A list with all your registered Authentication Methods will appear, from which you can select another one, in this case Built-in Authenticator.

• And complete the Authentication via this other Method.

Enabling MFA for all accounts in the organisation

My big recommendation for you is to always, always, always use MFA. The reason is obvious, securing access to the underlying systems is crucial for any business. We don’t want to allow anyone to gain incorrect access to any environment on purpose or accidentally. So, the best practice is to enable MFA for the whole organisation, that way, any existing and future users, will have to comply with it.

In order to enable MFA to the whole organisation, simply:

• Login with an admin org account.
• Go to Access Management under Management Center.
• On the left menu, click on the Multi-Factor Auth link.

• Click on Required. As it says, users without MFA already registered, will have to select and register a method next time they log in.

• Make sure to click on Save at the end of the page.

• When attempting to log in, the authentication method options are the same as the ones that we covered in the previous section to enable individually for users.

• Simply let them add and register  the one that works best for each of them. Again, recommend them to add a couple of methods.

Exempting system accounts from MFA

Exempting users only makes sense when you have a particular setup in which a system, for example CI/CD or CLI scripts are interacting with Anypoint Platform APIs in order to automate a particular task. I personally do not recommend creating back holes with “special” user accounts  without MFA enforced. As we said previously, in order to reduce the risk of not being able to login at any particular time, add and configure more than one authentication mechanism, but always try to avoid exempting random accounts at all costs.

The process to exempt accounts is simple:

• Login with an admin org account.
• Go to Access Management under Management Center.
• On the left menu, click on the Multi-Factor Auth link.

• Use the search option to search for the accounts that you want to exempt from MFA

And that’s it! Only those accounts will not be required to MFA when logging in.

Congratulations! We just covered the various mechanisms to get started with Anypoint Multi-factor Authentication (MFA). Always remember that MFA should be enabled to the whole organisation, with only a few system account exemptions.

I hope you found this article useful. If you have any question or comment, feel free to reach me at https://www.linkedin.com/in/citurria/