add draft docs for MFA feature

docs/product/security.md → docs/product/security/README.md

@@ -16,27 +16,35 @@ Spacelift regularly engages with external security firms to perform audits and p
 
 All of our data is encrypted at rest and in transit. With the exception of intra-VPC traffic between the web server and the load balancer protected by a restrictive [AWS security group](https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html){: rel="nofollow"}, all other traffic is handled using secure transport protocols. All the data sources (Amazon S3, database, Amazon SNS topics and Amazon SQS queues) are encrypted at rest using [AWS KMS](https://aws.amazon.com/kms/){: rel="nofollow"} keys with restricted and audited access.
 
-[Customer secrets](../concepts/configuration/environment.md#a-note-on-visibility) are extra encrypted at rest in a way that should withstand even an internal attacker.
+[Customer secrets](../../concepts/configuration/environment.md#a-note-on-visibility) are extra encrypted at rest in a way that should withstand even an internal attacker.
 
 ## Security Features
 
+{% if is_saas() %}
+
+### Multi-Factor Authentication (MFA)
+
+Enhancing our robust security offerings, Spacelift introduces the IdP independent Multi-Factor Authentication (MFA) feature. This feature elevates the security of your Identity Provider (IdP) sessions by integrating the use of FIDO2 security keys, managed within Spacelift. MFA acts as a crucial safeguard for your identity, providing an additional security layer even in scenarios where your IdP may be compromised. Designed for seamless integration, MFA can be enforced across all user accounts, ensuring consistent security protocols are maintained. You can learn more about our MFA feature [here](./mfa.md).
+
+{% endif %}
+
 ### Single Sign-On (SSO)
 
-In addition to the default login providers (currently GitHub, GitLab, and Google), Spacelift also supports the ability to configure Single Sign-On (SSO) via SAML or OIDC using your favorite identity provider. Using SSO, Spacelift can be configured in a password-less approach, helping your company follow a zero-trust approach. As long as your Identity Provider supports SAML or OIDC, and passing the `email` scope, you're good to go! You can learn more about our Single Sign-On support [here](../integrations/single-sign-on/README.md).
+In addition to the default login providers (currently GitHub, GitLab, and Google), Spacelift also supports the ability to configure Single Sign-On (SSO) via SAML or OIDC using your favorite identity provider. Using SSO, Spacelift can be configured in a password-less approach, helping your company follow a zero-trust approach. As long as your Identity Provider supports SAML or OIDC, and passing the `email` scope, you're good to go! You can learn more about our Single Sign-On support [here](../../integrations/single-sign-on/README.md).
 
 ### Environment Variables
 
-Spacelift allows for granular control of environment variables on your [Stacks](../concepts/stack/README.md) either by setting [environment](../concepts/configuration/environment.md) variables on a per-stack basis, or creating collections of variables as a [Context](../concepts/configuration/context.md). These environment variables can be created in two types: **plain** or **secret**.
+Spacelift allows for granular control of environment variables on your [Stacks](../../concepts/stack/README.md) either by setting [environment](../../concepts/configuration/environment.md) variables on a per-stack basis, or creating collections of variables as a [Context](../../concepts/configuration/context.md). These environment variables can be created in two types: **plain** or **secret**.
 
 {% if is_saas() %}
 
 ### Private Worker Pools
 
-Spacelift supports the ability to host the underlying compute resources that are accessing your codebase and executing your deployments, on your own infrastructure as a [Private Worker Pool](../concepts/worker-pools.md). This allows customers to optionally have full control over the security of their deployments. Furthermore, the image used by Spacelift private workers is [open source](https://github.com/spacelift-io/spacelift-worker-image){: rel="nofollow"}, giving customers full transparency into their private workers.
+Spacelift supports the ability to host the underlying compute resources that are accessing your codebase and executing your deployments, on your own infrastructure as a [Private Worker Pool](../../concepts/worker-pools.md). This allows customers to optionally have full control over the security of their deployments. Furthermore, the image used by Spacelift private workers is [open source](https://github.com/spacelift-io/spacelift-worker-image){: rel="nofollow"}, giving customers full transparency into their private workers.
 
 ### Access Private Version Control Systems
 
-For customers that have private-hosted version control systems such as on-premise installations of GitHub Enterprise, or [other VCS providers](../integrations/source-control/github.md), Spacelift provides the ability to access your on-premise VCS securely using [VCS Agent Pools](../concepts/vcs-agent-pools.md).
+For customers that have private-hosted version control systems such as on-premise installations of GitHub Enterprise, or [other VCS providers](../../integrations/source-control/github.md), Spacelift provides the ability to access your on-premise VCS securely using [VCS Agent Pools](../../concepts/vcs-agent-pools.md).
 
 A single VCS Agent Pool is a way for Spacelift to communicate with a single VCS system on your side. You run VCS Agents inside of your infrastructure and configure them with your internal VCS system endpoint. They will then connect to a gateway on our backend, and we will be able to access your VCS system through them.
 
@@ -46,7 +54,7 @@ Spacelift VCS Agent Pools utilize gRPC on HTTP2 for secure, high-performance con
 
 ### Policies
 
-Spacelift policies provide a way to express rules as code to manage your infrastructure as a code environment. Users can build policies to control Spacelift login permissions, access controls, deployment workflows, and even govern the infrastructure itself to be deployed. Policies are based on the [Open Policy Agent](https://www.openpolicyagent.org/){: rel="nofollow"} project and can be defined using its rule language _Rego_. You can learn more about policies [here](../concepts/policy/README.md).
+Spacelift policies provide a way to express rules as code to manage your infrastructure as a code environment. Users can build policies to control Spacelift login permissions, access controls, deployment workflows, and even govern the infrastructure itself to be deployed. Policies are based on the [Open Policy Agent](https://www.openpolicyagent.org/){: rel="nofollow"} project and can be defined using its rule language _Rego_. You can learn more about policies [here](../../concepts/policy/README.md).
 
 ## Responsible disclosure
 

docs/product/security/mfa.md

@@ -0,0 +1,42 @@
+# Multi-Factor Authentication (MFA)
+
+With the introduction of IdP independent Multi-Factor Authentication (MFA), we extend our security capabilities to provide a robust and flexible authentication system. MFA at Spacelift is designed to protect your account and sensitive resources by requiring a second form of verification, adding a critical layer of security against unauthorized access.
+
+!!! warning
+    Before enabling MFA, it's crucial to set backup credentials. This ensures that you can still access your account in the event of a lost security key or other unforeseen issues. You can find more about this in the [Backup Credentials](../../integrations/single-sign-on/backup-credentials.md) section.
+
+## Setting Up MFA for Your Account
+
+### Enable MFA
+
+Go to the _Personal settings_. Next, navigate to _Multi-factor authentication_. Here, you can add personal security keys that will be used for authentication.
+
+### Adding Security Keys
+
+- Click on the _Enable_ button to activate MFA.
+![](./personal-settings-enable-mfa.png)
+- Follow the prompt to register your security key; you can name it for easy identification.
+- Once added, the key will appear in your list of security keys, complete with details like the key name, key ID, and creation date.
+
+### Deleting Security Keys
+
+You can remove a security key at any time. To delete, click the trash icon next to the key you wish to remove and confirm your action.
+
+## Setting Up MFA for Organization
+
+In order to manage MFA in your organization, please go to the _Organization settings_. Next, navigate to _Multi-factor authentication_.
+
+Admins can view and delete security keys for any user within the organization to maintain the organization's security integrity.
+
+![](./organization-settings-mfa.png)
+
+### Enforce MFA
+
+Organization admins can enforce MFA across the organization to ensure that all users comply with the security standards. Enforcing MFA means every active user must have at least one registered security key.
+
+!!! warning
+    After MFA enforcement, existing sessions except for the current one will be invalidated. Users will be prompted to register their security keys during their next login session for continued access.
+
+### After Enforcing MFA
+
+Once MFA is enforced, all users must maintain at least one security key. The option to disable MFA (or delete all security keys) is disabled in _Personal settings_ for them. However, Admin always has the right to delete the user's key in the _Organization settings_.

nav.self-hosted.yaml

@@ -144,7 +144,8 @@ nav:
           - product/administration/advanced-installations.md
           - product/administration/slack-integration-setup.md
       - product/notifications.md
-      - product/security.md
+      - Security:
+        - product/security/README.md
       - product/migrating-to-spacelift.md
       - Support:
           - product/support/README.md

nav.yaml

@@ -157,7 +157,9 @@ nav:
       - integrations/webhooks.md
   - 📖 Product:
       - product/notifications.md
-      - product/security.md
+      - Security:
+        - product/security/README.md
+        - product/security/mfa.md
       - product/migrating-to-spacelift.md
       - Support:
           - product/support/README.md