Skip to main content

Login MFA Support Added to Vault Open Source and HCP Vault

HashiCorp expands MFA support across open source and all HCP Vault tiers, previously available only through Vault Enterprise.

We are pleased to announce the general availability of HashiCorp Vault 1.10, which adds login multi-factor authentication (MFA) support for Vault OSS and Vault on the HashiCorp Cloud Platform (HCP Vault). With login MFA, previously available only through Vault Enterprise, this release expands zero trust security best practices to all Vault users. The new login multi-factor authentication integration offers an additional authentication step using time-based one-time password (TOTP), Okta, Duo, or PingIdentity.

As increasingly sophisticated attacks from hackers and ransomware increase each year, organizations and developers need modern, automated security solutions that rely heavily on identity to protect critical infrastructure. In a breach, credentials are among the first things that an intruder will look for: according to Verizon, 89% of web app breaches are caused by credential abuse, while 61% of all breaches involve stolen credentials.

We believe that zero trust security should be comprehensive and accessible. A key component to the cloud operating model is zero trust security where securing infrastructure is predicated on identity rather than securing the network perimeter. Adding MFA to Vault open source — and expansion to HCP Vault — makes identity-based security, for both humans and machines, consistent and accessible at all levels of infrastructure. This release advances our commitment to unlocking the cloud operating model for every business and enabling their digital transformation strategies.

Login MFA offers additional security protections around credentials that are critical to zero trust security initiatives as organizations expand cloud programs and support an increasingly distributed global workforce. We have supported MFA in the Enterprise version of Vault for several years and wanted to bring that enhanced security to the entire Vault portfolio.

Having multiple options on how MFA is used with Vault (e.g., using TOTP, Okta, Duo, or PingIdentity) provides flexibility to support your preferred implementation. Login MFA is now considered a foundational feature in Vault open source and HCP Vault. Vault Enterprise continues to support Step-up Enterprise MFA when additional factors are required for a non-login operation.

For more information on login MFA, please see the auth method documentation, our list of frequently asked questions, and the detailed HashiCorp Learn guide on how to enable ​​login MFA with PingIdentity.

»Vault OSS Upgrade

Vault 1.10 introduces significant new functionality along with login MFA. As such, please review the Upgrading Vault page, as well as the Feature Deprecation Notice and Plans page for further details.

For more information about Vault Enterprise, visit You can download the open source version of Vault at

»HCP Vault Upgrade

New HCP Vault instances can take advantage of login MFA integrations beginning April 7, 2022. Sign up and try HCP Vault for free today.

The HashiCorp team will reach out to existing HCP Vault customers about a planned upgrade to Vault 1.10 in the coming weeks.

Sign up for the latest HashiCorp news

By submitting this form, you acknowledge and agree that HashiCorp will process your personal information in accordance with the Privacy Policy.