From 9555fb91df7c51d18c1a5ceff16e436fcab366e2 Mon Sep 17 00:00:00 2001
From: Noah Talerman <47070608+noahtalerman@users.noreply.github.com>
Date: Tue, 24 Dec 2024 10:07:38 -0500
Subject: [PATCH] SSO guide: best practice for email 2FA

Fleet shipped email 2FA. User story is here ()

Best practice:
- Email 2FA for "break-glass" user
- SSO for all other users
---
 docs/Deploy/single-sign-on-sso.md | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/docs/Deploy/single-sign-on-sso.md b/docs/Deploy/single-sign-on-sso.md
index 459f6b7094dc..62cd4f089c16 100644
--- a/docs/Deploy/single-sign-on-sso.md
+++ b/docs/Deploy/single-sign-on-sso.md
@@ -191,6 +191,12 @@ Here's a `SAMLResponse` sample to set the role of SSO users to `observer` in tea
 
 Each IdP will have its own way of setting these SAML custom attributes, here are instructions for how to set it for Okta: https://support.okta.com/help/s/article/How-to-define-and-configure-a-custom-SAML-attribute-statement?language=en_US.
 
+## Two-factor authentication (2FA)
+
+If you have a "break glass" Fleet user account that's used to login to Fleet when your Identify Provider (IdP) goes down, you can enable 2FA, also known as multi-factor authentication (MFA), for this user. For all other users, the best practice is to enable single-sign on (SSO). Then, you can enforce any 2FA method supported by your IdP (i.e. authenticator app, security key, etc.).
+
+You can't edit the authentication method for your currently logged-in user. To enable email 2FA for a user, login with a different user who has the admin role and head to **Settings > Users**.
+
 <meta name="title" value="Single sign-on (SSO)">
 <meta name="pageOrderInSection" value="200">
 <meta name="description" value="Learn how to configure single sign-on (SSO)">