Two Factor Authentication¶

On this page

Configure Two-Factor Authentication
Configure Backup Two Factor Authentication Phone Number
Generate New Recovery Codes
Reset Two Factor Authentication

Two-factor authentication provides a second layer of security for your Atlas account. If you enable 2FA for your account and after you enter your username and password, you are prompted for a six-digit time-sensitive verification code. This code is sent to a separate device, such as a mobile phone or security token, that you can read and enter into Atlas and complete your login.

Note

An Atlas Organization Owner can require that all Atlas users within their organization enable 2FA for their Atlas accounts.

For more information on organization settings, see Change Organization Settings.

Atlas provides the following sources for 2FA verification codes:

Text or Voice
2FA App
2FA device

Text Messages (SMS)

When Atlas prompts you for a verification code, Atlas sends the 6-digit verification code using text (SMS) to the provided phone number.

The cellular carrier’s SMS rates apply.

Automated Voice Calls

When Atlas prompts you for a verification code, Atlas calls the provided phone number. An automated system repeats the 6-digit verification code a total of three times before hanging up.

The cellular carrier’s Voice Call rates apply.

Important

Voice only works in the US / Canada.

Note

Atlas users who operate within a geographic region with limited cellular service coverage or reliability may encounter delays in receiving the 2FA code via SMS or Voice. Consider using a 2FA app or device instead.

When Atlas prompts you for a verification code, you can provide one that is generated in a 2FA app. You must pair the 2FA app with Atlas first.

This tutorial uses the Google Authenticator mobile app.

There are other mobile device apps and web browser plug-ins that provide 2FA capabilities. You can use any that support the TOTP.

You can pair only one app with Atlas at any one time.

When Atlas prompts you for a verification code, you can provide one that is generated in a 2FA PIV device. You must pair the PIV device app with Atlas first using a 2FA app. These devices must support TOTP.

This procedure uses a YubiKey security key, specifically those that work with Authenticator Codes. Other 2FA PIV hardware devices that use TOTP should work in a similar fashion.

Informational Reference Only

MongoDB does not endorse the aforementioned service, and its reference is intended only as informational. Defer to your organization’s procedures in selecting the appropriate vendor or service for supporting 2FA via smart card or similar device.

Configure Two-Factor Authentication¶

1

Go to your Atlas Account Settings.¶

In Atlas, click on your username in the top-right hand corner and select Account.

2

Enable Two-Factor Authentication.¶

Click Enable 2FA or click pencil icon .

When prompted for verification:

If you are setting up 2FA, enter your password.
If you are editing your 2FA settings, enter a 2FA code.
Click Verify.

3

Configure Voice/SMS Authentication.¶

Click Primary Method
Click Voice/SMS Number.
In the Enter your phone number box, enter your preferred mobile phone number.
Select your preferred method of receiving codes:
- Text Message (SMS) or
- Voice Call (US / Canada Only)
Click Verify.
Once you receive the verification code, enter that code into the into the Verify your code boxes. Each digit is entered in its own box.

Atlas automatically verifies the code and saves your settings.

1

Go to your Atlas Account Settings.¶

In Atlas, click on your username in the top-right hand corner and select Account.

2

Enable Two-Factor Authentication.¶

Click Enable 2FA or click pencil icon .

When prompted for verification:

If you are setting up 2FA, enter your password.
If you are editing your 2FA settings, enter a 2FA code.
Click Verify.

3

Configure your Atlas 2FA settings.¶

Click Primary Method.
Click Google Authenticator.

4

On your mobile device or web browser, install Google Authenticator.¶

Although only Google Authenticator is displayed in the UI, any TOTP mobile app or web browser plug-in may be used.

Note

Wherever you see the phrase Google Authenticator in this procedure, you can substitute the name of your preferred 2FA app.

App	iOS	Android	Windows Phone	Blackberry
Google Authenticator	Link	Link
Duo Mobile	Link	Link	Link
Authy	Link	Link
Microsoft Authenticator	Link	Link	Link
Gauth				Link

5

Add Atlas to Google Authenticator.¶

Start Google Authenticator.
Click +.
Choose how to pair the Google Authenticator app with Atlas.
- If your mobile device or web browser supports scanning barcodes, click Scan a barcode.
  
  Enable the device’s camera, if prompted, and point the device at the Atlas page to capture the barcode.
- If your mobile device or web browser does not support scanning barcodes, or if you prefer to enter a key, click Enter provided key.
  1. Atlas displays the Atlas Account with a Key.
  2. In Google Authenticator, click Enter provided key then enter the account and key.
    
    (Duo Mobile, Authy and other apps have similar prompts.)
  After the barcode is scanned or account and key are entered, the Google Authenticator app produces a 6-digit code to verify the pairing.
Once you receive the verification code, enter that code into the into the Verify your code boxes. Each digit is entered in its own box.

Atlas automatically verifies the code and saves your settings.

Download and install the Yubico Authenticator.¶

From a web browser, download the Yubico Authenticator application.
Double-click on the installer and follow the prompts.

2

Insert your Yubikey into a USB port.¶

3

Go to your Atlas Account Settings.¶

In Atlas, click on your username in the top-right hand corner and select Account.

4

Enable Two-Factor Authentication.¶

Click Enable 2FA or click pencil icon .

When prompted for verification:

If you are setting up 2FA, enter your password.
If you are editing your 2FA settings, enter a 2FA code.
Click Verify.

5

Configure your Atlas 2FA settings.¶

Click Primary Method.
Click Google Authenticator.

6

Add Atlas to the Yubikey.¶

Start the Yubico Authenticator.
Make sure that your web browser is open to your Atlas Two-Factor Authentication modal with the Google Authenticator button selected.
From the File menu in Yubico Authenticator, select Scan QR code….

In the New credential dialog box, confirm the settings:

Option	Accepted Value	Keep Default?
Issuer	The name you want to display in the Yubico Authenticator application for Atlas.	Your choice
Account name	Your Atlas username.	Yes
Secret key	Token generated from the QR code.	Yes
Type	Method that determines when to generate a new code.	Yes
Algorithm	Encryption algorithm the token uses.	Yes
Period	Duration that each verification code is valid.	Yes
Digits	Number of digits in the verification code.	Yes
Requires touch	Indicates user must be touching the contacts on the Yubikey when verification code is accepted.	User choice

Click Save credential.

The verification code displays in Yubico Authenticator under the heading label you gave for the Issuer.
Once you receive the verification code, enter that code into the into the Verify your code boxes. Each digit is entered in its own box.

Note

You can copy the code from the Yubico Authenticator application. Click the Atlas service. then select Copy to Clipboard from the Edit menu.

Atlas automatically verifies the code and saves your settings.

Configure Backup Two Factor Authentication Phone Number¶

You can configure a backup phone number for receiving 2FA codes if the primary method fails or is unavailable.

If you have not yet enabled 2FA for the Atlas account, do so before proceeding. See Configure Two-Factor Authentication.

1

In Atlas, click on your username in the top-right hand corner and select Account.¶

2

Click the edit button for Two Factor Authentication.¶

Atlas requires a 2FA verification code to continue.

3

Configure a backup phone number.¶

Select Add a Backup Phone.
Enter your preferred phone number in the text entry.
Select your preferred method of receiving codes:
- Text Message (SMS)
- Voice Call (US / Canada Only)
Click Verify once you have configured your Voice/SMS authentication settings.
Click Save Changes.

Generate New Recovery Codes¶

Atlas can generate single-use recovery codes for use where all other methods of accessing the account fail. When you generate new recovery codes, you invalidate previously generated ones.

If you have not yet enabled 2FA for the Atlas account, do so before proceeding. See Configure Two-Factor Authentication or Configure Two-Factor Authentication.

1

In Atlas, click on your username in the top-right hand corner and select Account.¶

In Atlas, click on your username in the top-right hand corner and select Account.

2

Select the edit button for Two Factor Authentication.¶

The edit button is displayed in Atlas using a pencil icon.

3

Select Show Recovery Codes.¶

Reset Two Factor Authentication¶

In order to reset your two-factor authentication, you must:

Be able to receive email at the address associated with your account.
Have the database username and password for a project of which you are a member.
Be a direct member of the project which your username and password correspond to. If you have access to the project only through a team that has a role in the project, you cannot reset two-factor authentication for your Atlas account.

Important

Resetting 2FA for an Atlas account disables 2FA for that account. You can re-configure 2FA after performing the reset procedure.

Log in to Atlas.
From the 2FA entry dialog, select Reset your two factor authentication.
Select Atlas user? Click here at the bottom of the Reset Two Factor Authentication modal.
Enter your Atlas username. Atlas emails a link to the e-mail account associated with the Atlas username.

Click the link in the e-mail to start the 2FA reset procedure.
Follow the directions on the 2FA reset page. After completing the reset procedure, Atlas allows you to log in to the Atlas account without requiring a 2FA code.

← Set up a Private Endpoint Set up User Authentication and Authorization with LDAP →