# Authentication and MFA

Organizations can implement org-wide authentication methods within StackAI to ensure authentication method stays consistent across business teams and StackAI projects. 

### Workspace sign-in methods

By default, when you invite a new user to access to StackAI workspace, the user will receive an email inviting them to access their account and set up a password. You could also set up SSO in "SSO Settings" page and standardize how users join your organization.

<div data-with-frame="true"><figure><img src="https://3697023207-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FFSlso1Kjob5CLDrh0dVn%2Fuploads%2FrYBEfgQY2uAQgdXAZYs9%2Fimage.png?alt=media&#x26;token=00528c1e-2867-4281-894c-19f6e96a1b26" alt=""><figcaption></figcaption></figure></div>

### Default role for SSO users

By default, newly provisioned SSO users start as **User**. Admins can promote them at any time.

See [Role-Based Access Controls (RBAC) and Groups](https://docs.stackai.com/welcome-to-stackai/security-and-governance/security-in-stackai/role-based-access-controls-rbac-and-groups) for role definitions and common patterns.

### Require SSO for published interfaces

You can require SSO for all interfaces. This prevents access from users outside your organization.

{% stepper %}
{% step %}

#### Open Authentication settings

Go to **Settings** → **Feature Access** → **Other**.
{% endstep %}

{% step %}

#### Require SSO for all  interfaces

Enable **Require SSO for all interfaces**.
{% endstep %}

{% step %}

#### Validate access

Open a published interface in an incognito window. Confirm SSO is enforced.
{% endstep %}
{% endstepper %}

<div data-with-frame="true"><figure><img src="https://docs.stack-ai.com/stack-ai/~gitbook/image?url=https%3A%2F%2F3697023207-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FFSlso1Kjob5CLDrh0dVn%252Fuploads%252F13q1l18prUicKSOgDpeq%252Frequire_SSO_forall.png%3Falt%3Dmedia%26token%3D82e5820d-e0f1-4600-a00a-b90e5b36437e&#x26;width=768&#x26;dpr=3&#x26;quality=100&#x26;sign=ee5b84ee&#x26;sv=2" alt=""><figcaption></figcaption></figure></div>

### Multi-factor authentication (MFA)

MFA adds a second verification step for sign-in. Once enabled, MFA is **mandatory org-wide**.

MFA applies to password-based authentication. If you use SSO, MFA is typically enforced in your IdP.

#### Enable MFA

{% stepper %}
{% step %}

#### Open Authentication settings

Go to **Settings** → **Feature Access** → **Authentication**.
{% endstep %}

{% step %}

#### Turn on MFA

Select **Manage**. Turn on **MFA**.
{% endstep %}

{% step %}

#### Confirm the rollout

Have a user sign in again. They will be prompted to complete MFA setup.
{% endstep %}
{% endstepper %}

<figure><img src="https://docs.stack-ai.com/stack-ai/~gitbook/image?url=https%3A%2F%2F3697023207-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FFSlso1Kjob5CLDrh0dVn%252Fuploads%252FPQhH6uPg5KkVho7n8QMI%252Fturn_on_MFA.gif%3Falt%3Dmedia%26token%3D5ad55ddc-db88-4de8-96fa-a52a3e57e00b&#x26;width=768&#x26;dpr=3&#x26;quality=100&#x26;sign=ffe0e47d&#x26;sv=2" alt=""><figcaption></figcaption></figure>

### Troubleshooting

> #### Users can’t access a published interface after enabling “Require SSO for all interfaces”

Check these first:

* The user is signing in with a company email in your IdP.
* The user is assigned to the StackAI app in the IdP.
* The interface URL is the same one you tested (no old links).