Enterprise Edition
Multi-factor authentication settings
-
Last updated: October 31, 2024
-
Read time: 3 Minutes
When you enable multi-factor authentication (MFA), all users must enter a passcode from an external authentication app in addition to their username and password when they log in. This helps to make your Burp Suite Enterprise Edition instance more secure, as it makes it harder for a malicious actor to gain access to the system even if they manage to acquire a valid username and password.
Note
Burp Suite Enterprise Edition's MFA solution requires users to sign in with a code generated by a TOTP (Time-based, One-Time Password) app. All Burp Suite Enterprise Edition users must have access to a TOTP app if MFA is enabled. We have tested Burp Suite Enterprise Edition with Google Authenticator and Microsoft Authenticator, but any TOTP app should work.
Enabling MFA
When you first enable MFA as an administrator, Burp Suite Enterprise Edition requires you to sign in to your own account using MFA to confirm that the setup process has worked.
To enable MFA:
Select Settings > Multi-factor authentication to display the Manage multi-factor authentication for all users setting.
Set the Activate multi-factor authentication for all users toggle to on.
Click Protect my account to display the Activate multi-factor authentication dialog.
Scan the QR code and follow the setup flow in your authentication app.
Enter the 6-digit code displayed in your app into the dialog and click Confirm to display a list of backup codes.
Copy and store the backup codes in a safe place. You will need these if you are unable to log in using MFA for any reason.
Note
If you are the primary administrator for an instance of Burp Suite Enterprise Edition that uses MFA, it is very important that you store your backup codes safely. Without these codes you will not be able to access your account if you lose access to your authenticator app.
For more information on managing backup codes, see Backup codes.
Logging in with MFA
Each user must complete MFA setup for their account before they can log in to Burp Suite Enterprise Edition. The first time a user attempts to log in after MFA is enabled, Burp Suite Enterprise Edition displays an authentication flow containing a QR code. The user must scan this code and complete the setup process in their authenticator app.
Once you have set up MFA on your account, you are presented with a Multi-factor authentication page each time you log in. Enter the code from your app and click Confirm to log in.
Backup codes
Burp Suite Enterprise Edition automatically generates backup codes when you enable MFA for your account. You can generate additional codes later if required.
Backup codes are pre-generated one-time codes. You can use them instead of a code from an authenticator app. They enable you to access Burp Suite Enterprise Edition if you do not have access to your app.
Managing backup codes
To generate new backup codes for your account:
Click the account icon and select My account.
Click Generate new backup codes. Burp Suite Enterprise Edition displays a list of new codes for your account.
Copy and store your codes in a safe place, for example in a password manager.
You can also view your existing codes. This is useful if you want to check which codes have already been used.
To view existing backup codes:
Click the account icon and select My account.
Click View backup codes. Burp Suite Enterprise Edition displays a list of existing codes for your account.
Using backup codes
To use a backup code:
Click Use backup code on the Multi-factor authentication login screen.
Enter a valid backup code into the box and click Confirm.
You are logged in, and the code is removed from the list of valid codes.