Multi-factor authentication

MFA is enabled by default in clusters created with okctl version 0.0.103 and up. If the cluster was created before that, follow the instructions below to enable.

In the event of a compromised QR code / MFA secret, notify Kjøremiljø ASAP.

Activate MFA for Cognito

This can be done by opening Cognito in the AWS web console, selecting the relevant user pool and performing the following operations:

AWS web console UI flow

  1. Select the "Sign in experience" tab, and press "Edit" in the "Multi-factor authentication" box.

    1. Select "Require MFA - Recommended"
    2. Check the "Authenticator apps" box.
    3. Click "Save changes"
  2. Select the "App integration" tab, and for each client in the "App clients and analytics"-list, do the following:

    1. Click "Edit" in the "App client information" box
    2. Click "Select authentication flows"
    4. Click "Save changes"

In the old version of the web console the navigation flow differs from the one we have described here. We recommend you to use the updated version.

Register a new OTP device

Logging into Grafana or ArgoCD in an MFA enabled Cognito will initiate the setup MFA device flow.

If for some reason the flow does not start, you can use the following instructions to manually register a device.

To register a new MFA/OTP device, run

# Usage
okctl setup-mfa <relevant Cognito user email>

# Example
okctl setup-mfa

Follow the instructions to register a device.


  • What authenticator app should I use? Any app that supports TOTP will do. We recommend FreeOTP+