Contact UsTry it for free
© 2026 Direct Cursus Technology L.L.C.

Creating an MFA policy

Written by
Updated at February 11, 2026

MFA policies enable configuring multi-factor authentication (MFA) for federated and local user accounts.

To create an MFA policy:

  1. Log in to Yandex Identity Hub.

  2. In the left-hand panel, select Security settings.

  3. Navigate to the MFA policies tab.

  4. In the top-right corner, click Create policy and in the window that opens:

    1. In the Name field, enter a name for the new policy. Follow these naming requirements:

      • It must be from 1 to 63 characters long.
      • It may contain lowercase Latin letters, numbers, and hyphens.
      • It must start with a letter and cannot end with a hyphen.

    2. Optionally, enter a policy description in the Description field.

    3. If you do not want to activate the policy upon creation, disable Policy active.

    4. In the Factor types field, select additional authentication factors required for users from the policy's target groups to verify their identity:

      • Any. This option allows users to select one of the following additional authentication factor standards:

        • WebAuthn (FIDO2). The acceptable additional authentication factors may include hardware keys such as Rutoken or YubiKey, Passkeys authenticators, platform authenticators such as Windows Hello, etc.

          Warning

          Browser extensions with password input control may cause errors when entering additional factors. We recommend disabling such extensions in case of errors.

        • TOTP. This standard enables using one-time codes generated by dedicated authenticator apps as an additional authentication factor.

        • SMS. This standard enables using one-time codes sent via a text message to the specified mobile phone number as an additional authentication factor.

          Note

          SMS as an authentication factor is at the Preview stage and available only to customers with a billable limit of Identity Hub users. To get access, contact support or your account manager.

      • Any (except SMS). This option enforces the WebAuthn or TOTP authentication factors.

      • Phishing-resistant. This option enforces the WebAuthn authentication factors as the most secure ones.

    5. In the Creation deadline field, specify the period in days during which the user must add a second authentication factor after registration.

    6. In the Lifetime field, set the credential validity period, in days.

      Upon expiry of the specified timeout, the user will need to authenticate with the additional factor again.

    7. Click Create policy.

If you do not have the Yandex Cloud CLI installed yet, install and initialize it.

By default, the CLI uses the folder specified when creating the profile. To change the default folder, use the yc config set folder-id <folder_ID> command. You can also set a different folder for any specific command using the --folder-name or --folder-id parameter.

  1. See the description of the CLI command for creating an MFA policy:

    yc organization-manager mfa-enforcement create --help

  2. Create an MFA policy by running the command:

    yc organization-manager mfa-enforcement create \
  --organization-id <organization_ID> \
  --acr-id <authentication_factor_type> \
  --ttl <lifetime> \
  --status <policy_status> \
  --apply-at <activation_time> \
  --enroll-window <creation_deadline> \
  --name <policy_name> \
  --description <policy_description>

    Where:

    • --name: Policy name. The naming requirements are as follows:

      • It must be from 1 to 63 characters long.
      • It may contain lowercase Latin letters, numbers, and hyphens.
      • It must start with a letter and cannot end with a hyphen.

    • --organization-id: Organization ID.

    • --acr-id: Authentication factor type. The possible values are:

      • any-mfa: Authentication factors without security restrictions.

        Note

        SMS as an authentication factor is at the Preview stage and available only to customers with a billable limit of Identity Hub users. To get access, contact support or your account manager.

      • any-except-sms: Only FIDO2 or TOTP factors.

      • phr: Only phishing-resistant FIDO2 factors.

    • --ttl: Credential validity period in days.

    • --status: Policy status, active (status-active) or inactive (status-inactive).

    • --apply-at: Time after which the policy will become active. This is an optional parameter.

    • --enroll-window: Period in days during which the user must add a second authentication factor after registration.

    • --description: Policy description. This is an optional parameter.

  3. Optionally, run the following command to activate an inactive MFA policy:

    yc organization-manager mfa-enforcement activate \
  --id <policy_ID>

Note

For an MFA policy to apply to specific user accounts, add the users in question or the groups they are members of to the policy's target groups.

See also

Previous
Deactivating and deleting an app
Next
Applying an MFA policy to users