# Authentication and MFA

Organizations can implement org-wide authentication methods within StackAI to ensure authentication method stays consistent across business teams and StackAI projects. 

### Workspace sign-in methods

By default, when you invite a new user to access to StackAI workspace, the user will receive an email inviting them to access their account and set up a password. You could also set up SSO in "SSO Settings" page and standardize how users join your organization.

<div data-with-frame="true"><figure><img src="/files/c7lMYzcgTiXhvteJ4zQ8" alt=""><figcaption></figcaption></figure></div>

### Default role for SSO users

By default, newly provisioned SSO users start as **User**. Admins can promote them at any time.

See [Role-Based Access Controls (RBAC) and Groups](/welcome-to-stackai/security-and-governance/security-in-stackai/role-based-access-controls-rbac-and-groups.md) for role definitions and common patterns.

### Require SSO for published interfaces

You can require SSO for all interfaces. This prevents access from users outside your organization.

{% stepper %}
{% step %}

#### Open Authentication settings

Go to **Settings** → **Feature Access** → **Other**.
{% endstep %}

{% step %}

#### Require SSO for all  interfaces

Enable **Require SSO for all interfaces**.
{% endstep %}

{% step %}

#### Validate access

Open a published interface in an incognito window. Confirm SSO is enforced.
{% endstep %}
{% endstepper %}

<div data-with-frame="true"><figure><img src="https://docs.stack-ai.com/stack-ai/~gitbook/image?url=https%3A%2F%2F3697023207-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FFSlso1Kjob5CLDrh0dVn%252Fuploads%252F13q1l18prUicKSOgDpeq%252Frequire_SSO_forall.png%3Falt%3Dmedia%26token%3D82e5820d-e0f1-4600-a00a-b90e5b36437e&#x26;width=768&#x26;dpr=3&#x26;quality=100&#x26;sign=ee5b84ee&#x26;sv=2" alt=""><figcaption></figcaption></figure></div>

### Multi-factor authentication (MFA)

MFA adds a second verification step for sign-in. Once enabled, MFA is **mandatory org-wide**.

MFA applies to password-based authentication. If you use SSO, MFA is typically enforced in your IdP.

#### Enable MFA

{% stepper %}
{% step %}

#### Open Authentication settings

Go to **Settings** → **Feature Access** → **Authentication**.
{% endstep %}

{% step %}

#### Turn on MFA

Select **Manage**. Turn on **MFA**.
{% endstep %}

{% step %}

#### Confirm the rollout

Have a user sign in again. They will be prompted to complete MFA setup.
{% endstep %}
{% endstepper %}

<figure><img src="https://docs.stack-ai.com/stack-ai/~gitbook/image?url=https%3A%2F%2F3697023207-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252FFSlso1Kjob5CLDrh0dVn%252Fuploads%252FPQhH6uPg5KkVho7n8QMI%252Fturn_on_MFA.gif%3Falt%3Dmedia%26token%3D5ad55ddc-db88-4de8-96fa-a52a3e57e00b&#x26;width=768&#x26;dpr=3&#x26;quality=100&#x26;sign=ffe0e47d&#x26;sv=2" alt=""><figcaption></figcaption></figure>

### Troubleshooting

> #### Users can’t access a published interface after enabling “Require SSO for all interfaces”

Check these first:

* The user is signing in with a company email in your IdP.
* The user is assigned to the StackAI app in the IdP.
* The interface URL is the same one you tested (no old links).


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.stackai.com/welcome-to-stackai/security-and-governance/security-in-stackai/authentication-and-mfa.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.