SaaS Shield Configuration Broker Two-Factor Authentication (2FA)

The IronCore Configuration Broker supports two-factor authentication for login and password recovery. The primary method of 2FA is WebAuthn passkeys (supported by password managers and device hardware keys), but email codes are supported as a fallback.

Enabling Two-Factor Authentication

To enable 2FA, go to the Account Settings page and toggle Two-Factor Authentication on. Until a WebAuthn device is registered, only email-based verification will be used.

Managing WebAuthn Devices

In Account Settings, click Manage 2FA Devices to view, register, or remove WebAuthn passkeys.

• The dialog displays all registered devices, including the last time each was used.
• To register a device, follow the prompts in your browser or password manager.
• To deauthorize a device, click the trash icon and confirm.
  • Note that removing all devices does not disable 2FA, so you’ll still receive codes via email.

Considerations with Single Sign On

If your organization uses Single Sign On (SSO), logging in to the Configuration Broker will not use the application’s 2FA, even if it has been configured. Instead, you should set up 2FA with your organization’s identity provider. Note that recovering your password does still require the Configuration Broker’s 2FA, regardless of your organization’s SSO settings.