cockroachdb · bsanchez-the-roach · Apr 6, 2026 · Apr 7, 2026 · Apr 7, 2026 · Apr 9, 2026
diff --git a/src/current/_includes/cockroachcloud/prefer-sso.md b/src/current/_includes/cockroachcloud/prefer-sso.md
@@ -1,5 +1,5 @@
     {{site.data.alerts.callout_info}}
-    We recommend that CockroachDB {{ site.data.products.cloud }} Console users log in with [Single Sign-On (SSO)]({% link cockroachcloud/cloud-org-sso.md %}), optionally with two-factor authentication (2FA) enabled for the SSO provider. This prevents potential attackers from using stolen credentials to access or tamper with your critical data.
+    We recommend that CockroachDB {{ site.data.products.cloud }} Console users log in with [Single Sign-On (SSO)]({% link cockroachcloud/cloud-org-sso.md %}), optionally with [multi-factor authentication (MFA)]({% link cockroachcloud/multi-factor-authentication.md %}) enabled for the SSO provider. This prevents potential attackers from using stolen credentials to access or tamper with your critical data.
 
     CockroachDB {{ site.data.products.cloud }} [Basic SSO]({% link cockroachcloud/cloud-org-sso.md %}#basic-sso) supports SSO with GitHub, Google, and Microsoft. [Cloud Organization SSO]({% link cockroachcloud/cloud-org-sso.md %}#cloud-organization-sso) provides additional configuration and flexibility, and includes support for OIDC or SAML protocols, autoprovisioning, and limiting the email domains that can use a given authentication method.
 

diff --git a/src/current/_includes/cockroachcloud/sso-intro.md b/src/current/_includes/cockroachcloud/sso-intro.md
@@ -1,6 +1,6 @@
 Single Sign-On (SSO) allows members of your CockroachDB {{ site.data.products.cloud }} organization to authenticate using an identity from an identity provider (IdP) instead of using an email address and password.
 
-[Basic SSO]({% link cockroachcloud/cloud-org-sso.md %}#basic-sso) is enabled by default for each CockroachDB {{ site.data.products.cloud }} organization. members can authenticate to [CockroachDB {{ site.data.products.cloud }} Console](https://cockroachlabs.cloud) with any GitHub, Google, or Microsoft identity or with a password.
+[Basic SSO]({% link cockroachcloud/cloud-org-sso.md %}#basic-sso) is enabled by default for each CockroachDB {{ site.data.products.cloud }} organization. Members can authenticate to [CockroachDB {{ site.data.products.cloud }} Console](https://cockroachlabs.cloud) with any GitHub, Google, or Microsoft identity or with a password.
 
 [Cloud Organization SSO]({% link cockroachcloud/cloud-org-sso.md %}#cloud-organization-sso) lets users sign in at a custom login page unique to your organization, and provides additional customization and capabilities to help your organization meet its security and compliance requirements.
 

diff --git a/src/current/_includes/v25.4/sidebar-data/cloud-deployments.json b/src/current/_includes/v25.4/sidebar-data/cloud-deployments.json
@@ -273,6 +273,12 @@
                         "/cockroachcloud/cloud-sso-sql.html"
                         ]
                     },
+                    {
+                        "title": "Multi-Factor Authentication for the Cloud Console",
+                        "urls": [
+                        "/cockroachcloud/multi-factor-authentication.html"
+                        ]
+                    },
                     {
                         "title": "SQL Client Certificate Authentication for Advanced Clusters",
                         "urls": [

diff --git a/src/current/_includes/v26.1/sidebar-data/cloud-deployments.json b/src/current/_includes/v26.1/sidebar-data/cloud-deployments.json
@@ -285,6 +285,12 @@
                         "/cockroachcloud/cloud-sso-sql.html"
                         ]
                     },
+                    {
+                        "title": "Multi-Factor Authentication for the Cloud Console",
+                        "urls": [
+                        "/cockroachcloud/multi-factor-authentication.html"
+                        ]
+                    },
                     {
                         "title": "SQL Client Certificate Authentication for Advanced Clusters",
                         "urls": [

diff --git a/src/current/_includes/v26.2/sidebar-data/cloud-deployments.json b/src/current/_includes/v26.2/sidebar-data/cloud-deployments.json
@@ -285,6 +285,12 @@
                         "/cockroachcloud/cloud-sso-sql.html"
                         ]
                     },
+                    {
+                        "title": "Multi-Factor Authentication for the Cloud Console",
+                        "urls": [
+                        "/cockroachcloud/multi-factor-authentication.html"
+                        ]
+                    },
                     {
                         "title": "SQL Client Certificate Authentication for Advanced Clusters",
                         "urls": [

diff --git a/src/current/cockroachcloud/authentication.md b/src/current/cockroachcloud/authentication.md
@@ -120,5 +120,6 @@ The table below lists the `sslmode` settings you can use to [connect to your clu
 
 - [Cloud Organization SSO]({% link cockroachcloud/cloud-org-sso.md %})
 - [Configure Cloud Organization SSO]({% link cockroachcloud/configure-cloud-org-sso.md %})
+- [Multi-Factor Authentication for the CockroachDB Cloud Console]({% link cockroachcloud/multi-factor-authentication.md %})
 - [Client Connection Parameters]({% link {{site.current_cloud_version}}/connection-parameters.md %})
 - [Connect to Your CockroachDB {{ site.data.products.standard }} Cluster]({% link cockroachcloud/connect-to-your-cluster.md %})
diff --git a/src/current/cockroachcloud/cloud-api.md b/src/current/cockroachcloud/cloud-api.md
@@ -1188,4 +1188,88 @@ curl --request GET \
   "deferral_policy": "DEFERRAL_60_DAYS",
   "deferred_until": "2025-12-15T00:00:00Z"
 }
-~~~
+~~~
+
+## Manage multi-factor authentication (MFA) enrollment
+
+Password-based CockroachDB {{ site.data.products.cloud }} Console access can be secured with multi-factor authentication. Learn more about [Multi-Factor Authentication for the CockroachDB {{ site.data.products.cloud }} Console]({% link cockroachcloud/multi-factor-authentication.md %}#native-cockroachdb-cloud-mfa-for-password-based-access).
+
+### Get the organization's MFA enforcement policy
+
+To get the organization's MFA enforcement policy, send a `GET` request to the `v1/org-settings/mfa-enforcement` endpoint.
+
+{{site.data.alerts.callout_success}}
+The service account associated with the secret key must have the Org Admin [role]({% link cockroachcloud/authorization.md %}#organization-user-roles).
+{{site.data.alerts.end}}
+
+{% include_cached copy-clipboard.html %}
+~~~ shell
+curl --request GET \
+  --url https://cockroachlabs.cloud/api/v1/org-settings/mfa-enforcement \
+  --header "Authorization: Bearer {secret_key}"
+~~~
+
+If the request is successful, the client receives a response with...
+
+**TODO: What does the JSON response look like?**
+
+### Toggle the organization's MFA enforcement policy
+
+To enable or disable the organization's MFA enforcement policy, send a `PUT` request to the `v1/org-settings/mfa-enforcement` endpoint.
+
+{{site.data.alerts.callout_success}}
+The service account associated with the secret key must have the Org Admin [role]({% link cockroachcloud/authorization.md %}#organization-user-roles). The service account owner must have completed the [initial MFA setup via the UI]({% link cockroachcloud/multi-factor-authentication.md %}#set-up-mfa-for-a-password-based-account) before they will be able to enable or disable the enforcement policy.
+{{site.data.alerts.end}}
+
+{% include_cached copy-clipboard.html %}
+~~~ shell
+curl --request PUT \
+  --url https://cockroachlabs.cloud/api/v1/org-settings/mfa-enforcement \
+  --header "Authorization: Bearer {secret_key}"
+~~~
+
+If the request is successful, the client receives a response with...
+
+**TODO: What does the JSON response look like?**
+
+### Get MFA enrollment status for all users
+
+To get the MFA enrollment status (`enrolled`,`not_enrolled`, or `pending`) of all users in the organization, send a `GET` request to the `v1/org-settings/mfa-enrollment-status` endpoint.
+
+{{site.data.alerts.callout_success}}
+The service account associated with the secret key must have the Org Admin [role]({% link cockroachcloud/authorization.md %}#organization-user-roles).
+{{site.data.alerts.end}}
+
+{% include_cached copy-clipboard.html %}
+~~~ shell
+curl --request GET \
+  --url https://cockroachlabs.cloud/api/v1/org-settings/mfa-enrollment-status \
+  --header "Authorization: Bearer {secret_key}"
+~~~
+
+If the request is successful, the client receives a response with...
+
+**TODO: What does the JSON response look like?**
+
+### Reset MFA for a user
+
+To reset the MFA for a specific user in the organization, send a `POST` request to the `v1/users/{user_id}/mfa-reset` endpoint. This action invalidates the user's Time-based One-Time Password (TOTP) bindings and will force the user to re-enroll in MFA.
+
+{{site.data.alerts.callout_success}}
+The service account associated with the secret key must have the Org Admin [role]({% link cockroachcloud/authorization.md %}#organization-user-roles).
+{{site.data.alerts.end}}
+
+{% include_cached copy-clipboard.html %}
+~~~ shell
+curl --request GET \
+  --url https://cockroachlabs.cloud/api/v1/users/{user_id}/mfa-reset \
+  --header "Authorization: Bearer {secret_key}"
+~~~
+
+Where `{user_id}` is the user ID of the user whose MFA you want to reset.
+
+If the request is successful, the client receives a response with...
+
+**TODO: What does the JSON response look like?**
+
+Organization Admins cannot reset their own MFA using the CockroachDB {{ site.data.products.cloud }} API. Contact [CockroachDB Support](https://support.cockroachlabs.com) to self-reset MFA.
diff --git a/src/current/cockroachcloud/cloud-org-sso.md b/src/current/cockroachcloud/cloud-org-sso.md
@@ -32,6 +32,7 @@ Cloud Organization SSO allows you to customize your SSO configuration to meet yo
 - Members can sign in using any enabled authentication method, to help reduce the impact of an IdP outage. If a member signs in using a new method for the first time, they are prompted to optionally update their default method. **This is possible only as long as the members are using the same email address to sign in through each method**.
 - You can [enable multiple authentication methods]({% link cockroachcloud/configure-cloud-org-sso.md %}#enable-or-disable-an-authentication-method) simultaneously. You can even add custom authentication methods that connect to IdPs such as Okta or ActiveDirectory through the [Security Access Markup Language (SAML)](https://wikipedia.org/wiki/Security_Assertion_Markup_Language) and [OpenID Connect (OIDC)](https://openid.net/connect/) identity protocols. If you use Okta, you can use the official [Cockroach Labs Okta app integration]({% link cockroachcloud/configure-cloud-org-sso.md %}#add-a-custom-authentication-method) to ease setup of custom SAML or OIDC authentication methods.
 - You can disable any authentication method. To enforce a requirement to use SSO, you can enable only SSO authentication methods and disable password authentication. If you disable password authentication, passwords are not retained.
+- You can enable and enforce the use of [multi-factor authentication to access the Cloud Console]({% link cockroachcloud/multi-factor-authentication.md %}) for any non-SSO users. This uses the Console's native multi-factor authentication feature.
 - You can [restrict the email domains]({% link cockroachcloud/configure-cloud-org-sso.md %}#allowed-email-domains) that are allowed to sign in using an SSO authentication method. By default, any email domain is allowed.
 - [Autoprovisioning](#autoprovisioning) can be enabled for SSO authentication methods, and automatically creates a CockroachDB {{ site.data.products.cloud }} organization account when a member successfully authenticates using an SSO authentication method for the first time, with no invitation required.
 - [SCIM Provisioning]({% link cockroachcloud/configure-scim-provisioning.md %}) automatically creates a CockroachDB {{ site.data.products.cloud }} organization account when a user is assigned to the SCIM application in your IdP that is connected to your CockroachDB {{ site.data.products.cloud }} organization.
@@ -108,6 +109,8 @@ To remove a user's access to CockroachDB {{ site.data.products.cloud }} manually
 
 Yes. When Cloud Organization SSO is enabled for your CockroachDB {{ site.data.products.cloud }} organization, only the [authentication methods you have enabled]({% link cockroachcloud/configure-cloud-org-sso.md %}#enable-or-disable-an-authentication-method) are displayed to your users.
 
+It's also possible to require non-SSO users to access the CockroachDB {{ site.data.products.cloud }} Console via the [Console's native multi-factor authentication feature]({% link cockroachcloud/multi-factor-authentication.md %}).
+
 #### Which SAML-based authentication flows are supported with Cloud Organization SSO?
 
 After SAML is configured, your users can sign in to the CockroachDB {{ site.data.products.cloud }} Console in two different ways:

diff --git a/src/current/cockroachcloud/configure-cloud-org-sso.md b/src/current/cockroachcloud/configure-cloud-org-sso.md
@@ -295,6 +295,10 @@ After Cloud Organization SSO is enabled, it cannot be disabled. To emulate the b
 
 Members must still sign in using your organization's custom URL.
 
+## Enable MFA enforcement for non-SSO access
+
+While Cockroach Labs recommends SSO for CockroachDB {{ site.data.products.cloud }} Console access, organizations commonly retain password-based accounts as a failsafe when SSO is unavailable. To ensure that these remaining password-based accounts are well-protected, [enable CockroachDB {{ site.data.products.cloud }}'s native MFA feature]({% link cockroachcloud/multi-factor-authentication.md %}#native-cockroachdb-cloud-mfa-for-password-based-access) for password-based access.
+
 ## What next?
 
 - [Cloud Organization SSO Frequently Asked Questions]({% link cockroachcloud/cloud-org-sso.md %}#frequently-asked-questions-faq).