We’ve migrated our documentation to a new site, which means some URLs have changed.
Subscriptions

How Do I Configure and Manage MFA for the Piano Dashboard?

What Are the Prerequisites and Constraints for MFA?

For general information on what MFA is, supported types, and the user enrollment experience, see Piano Dashboard Login documentation. The sections below cover additional administrative constraints to be aware of before requesting activation.

Why Is MFA Domain-Based and What Does That Mean?

MFA is enforced at the email domain level (for example, @company.com), not per individual user, site, or application. Once enabled for a domain, it applies to all users whose login email matches that domain across all dashboards (including Sandbox and Production).

If you need MFA only for a subset of users, consider the following approaches:

  • Pilot on a separate test domain you control, then roll out to production domains.

  • For site-specific targeting, create accounts under a distinct email domain and enable MFA for that domain only.

Why Is Domain Ownership Required?

You can only enable MFA for domains your organization owns and controls. This prevents accidental enforcement for unrelated users (for example, all @gmail.com users globally).

For external partners or agencies using their own domains, a common workaround is to provision them with an email address under a domain you control.

Can I Enforce MFA on Public Email Domains?

No. Public email domains such as @gmail.com, @yahoo.com, or @outlook.com cannot have MFA enforced, as domain ownership cannot be verified for these providers.

What Information Do I Need to Provide to Activate MFA?

As noted in the Piano Dashboard documentation, MFA activation is requested through Piano Support. To expedite the process, provide the following details in your request:

  1. Email domain(s) to enforce (for example, company.com, subsidiary.com).

  2. Your preference for "Remember this device for 30 days": Allow or Deny.

  3. Rollout plan: pilot (specific users/test domain) vs. full rollout.

  4. Preferred activation date/time (to reduce disruption to your team).

What Is the Typical Piano Subscriptions Timeline?

Piano Subscriptions is typically completed within 1–2 business days after all required details are confirmed.

How Does the "Remember This Device for 30 Days" Option Work?

When set to Allow, users can mark a device as trusted and skip MFA prompts on that device for 30 days. When set to Deny, MFA is required at every login, including repeated logins from the same device.

This preference is set at the domain level during activation. If you need to change it after activation, contact Piano Support.

How Do I Reset MFA for a User Who Lost Their Authenticator?

If a user loses access to their authenticator app and does not have their recovery codes, Piano Support can reset MFA enrollment for that user. This will allow the user to re-enroll and scan a new QR code at their next login.

To request a reset:

  • Contact support@piano.io.

  • Provide the affected user's email address and the reason for the reset.

Reset requests typically require identity/authorization verification and may take 1–3 business days depending on the validation needed.

Does MFA Affect APIs, Webhooks, or Backend Integrations?

No. MFA affects interactive logins to Piano management interfaces (Dashboard/Sandbox) only.

  • API access, webhooks, API keys, and backend integrations are not affected by enabling MFA.

  • If you also enable IP address restrictions for Dashboard login, that restriction applies to login access only (not API calls) and can be scheduled independently or alongside MFA. For more information, see the IP-Restricted Access section of the login documentation.

How Does MFA Work with Sandbox and User Invitations?

MFA enforcement is based on the email domain and applies across all environments, including both Sandbox and Production dashboards.

If you run into invitation constraints where an email address cannot be invited to another application in the same environment, using an email alias pattern such as name+alias@company.com may help avoid conflicts (depending on your email provider's alias support).

Can I Use DUO as My Authenticator App?

DUO is not supported as a general authenticator for Piano MFA due to platform constraints. Please use a standard OTP authenticator app such as Google Authenticator or Microsoft Authenticator.

Should I Use Piano MFA or Enterprise SSO?

If your organization uses Enterprise SSO, Piano recommends enforcing MFA in your Identity Provider (IdP) (for example, Google, Microsoft, or Okta) and keeping Piano-side MFA disabled. This ensures a consistent MFA policy across your organization and centralizes access control.

Enterprise SSO is a paid feature. For more information on the Enterprise SSO login process, see the documentation.

Last updated: