Multi-factor authentication

Multi-factor authentication, or MFA, requires a second proof of identity in addition to a password. Even if a credential is stolen or guessed, an attacker still cannot sign in without the second factor.

Why a second factor

Passwords fail in predictable ways. They get reused across sites, phished through fake login pages, and exposed in breaches you never hear about. A second factor breaks that chain. The person signing in has to present something they hold, not just something they know.

For a Forest account this matters because the data inside describes your security posture: where your maturity is low, which capabilities are compliance-required, and where your spend sits. That is exactly the kind of information an attacker would value during reconnaissance.

What to expect

• After entering a password, users confirm their identity with a second factor.

• The second factor is tied to the individual, not shared across a team.

• Account administrators can set expectations for who must use it.

Treat MFA as the default for everyone with access, not an option for a few. The cost is a few seconds at login. The alternative is a single stolen password standing between an outsider and your full assessment.

MFA confirms who a person is. Roles then decide what that person can do. Read Role-based access control for how the two work together, and SSO and OIDC readiness if you want to manage authentication through your own identity provider.