Multi-factor Authentication

Issue

Integrate Jenkins with MFA (Multi-factor authentication)

Environment

CloudBees CI (CloudBees Core)
CloudBees CI (CloudBees Core) on modern cloud platforms - Managed controller
CloudBees CI (CloudBees Core) on modern cloud platforms - Operations Center
CloudBees CI (CloudBees Core) on traditional platforms - Client controller
CloudBees CI (CloudBees Core) on traditional platforms - Operations Center
CloudBees Jenkins Enterprise
CloudBees Jenkins Enterprise - Managed controller
CloudBees Jenkins Enterprise - Operations Center
CloudBees Jenkins Platform - Client controller
CloudBees Jenkins Platform - Operations Center
CloudBees Jenkins Distribution
Jenkins LTS

Resolution

CloudBees' approach to Multi Factor Authentication (MFA) and to One Time Password (OTP) is to recommend Jenkins administrator to secure their Jenkins infrastructure with Single Sign On solution.

Organizations who want MFA or OTP usually implement it

either using an external service such as Google Auth or GitHub Auth
or as part of a corporate security project with the deployment of an enterprise authentication service usually coupled with an SSO platform

You can integrate with SSO service through SAML, OpenID or Oauth. It is also very common to integrate a SSO reverse proxy.

Notice that MFA is implemented outside of Jenkins and Jenkins' role is to integrate with such a service.