Add docs for MFA feature

docs/concepts/configuration/environment.md

@@ -169,4 +169,4 @@ Mounted files are similar - plain can be downloaded from the web GUI or through
 While the content of secret (write-only) environment variables and mounted files is not accessible through the GUI or [API](../../integrations/api.md), the checksums are always available so if you have the value handy and just want to check if that's the same value as the one set in Spacelift, you can compare its checksum with the one reported by us - check out the most recent [GraphQL API](../../integrations/api.md#graphql-schema-s) schema for more details.
 
 !!! info
-    Though all of our data is [encrypted both at rest and in transit](../../product/security.md#encryption), secret (write-only) values enjoy two extra layers of protection.
+    Though all of our data is [encrypted both at rest and in transit](../../product/security/README.md#encryption), secret (write-only) values enjoy two extra layers of protection.

docs/product/security.md → docs/product/security/README.md

@@ -16,27 +16,35 @@ Spacelift regularly engages with external security firms to perform audits and p
 
 All of our data is encrypted at rest and in transit. With the exception of intra-VPC traffic between the web server and the load balancer protected by a restrictive [AWS security group](https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html){: rel="nofollow"}, all other traffic is handled using secure transport protocols. All the data sources (Amazon S3, database, Amazon SNS topics and Amazon SQS queues) are encrypted at rest using [AWS KMS](https://aws.amazon.com/kms/){: rel="nofollow"} keys with restricted and audited access.
 
-[Customer secrets](../concepts/configuration/environment.md#a-note-on-visibility) are extra encrypted at rest in a way that should withstand even an internal attacker.
+[Customer secrets](../../concepts/configuration/environment.md#a-note-on-visibility) are extra encrypted at rest in a way that should withstand even an internal attacker.
 
 ## Security Features
 
+{% if is_saas() %}
+
+### Multi-Factor Authentication (MFA)
+
+This feature elevates the security of your Identity Provider (IdP) sessions by integrating the use of FIDO2 security keys, managed within Spacelift. MFA acts as a crucial safeguard for your identity, providing an additional security layer. Designed for seamless integration, MFA can be enforced across all user accounts, ensuring consistent security protocols are maintained. You can learn more about our MFA feature [here](./mfa.md).
+
+{% endif %}
+
 ### Single Sign-On (SSO)
 
-In addition to the default login providers (currently GitHub, GitLab, and Google), Spacelift also supports the ability to configure Single Sign-On (SSO) via SAML or OIDC using your favorite identity provider. Using SSO, Spacelift can be configured in a password-less approach, helping your company follow a zero-trust approach. As long as your Identity Provider supports SAML or OIDC, and passing the `email` scope, you're good to go! You can learn more about our Single Sign-On support [here](../integrations/single-sign-on/README.md).
+In addition to the default login providers (currently GitHub, GitLab, Microsoft and Google), Spacelift also supports the ability to configure Single Sign-On (SSO) via SAML or OIDC using your favorite identity provider. Using SSO, Spacelift can be configured in a password-less approach, helping your company follow a zero-trust approach. As long as your Identity Provider supports SAML or OIDC, and passing the `email` scope, you're good to go! You can learn more about our Single Sign-On support [here](../../integrations/single-sign-on/README.md).
 
 ### Environment Variables
 
-Spacelift allows for granular control of environment variables on your [Stacks](../concepts/stack/README.md) either by setting [environment](../concepts/configuration/environment.md) variables on a per-stack basis, or creating collections of variables as a [Context](../concepts/configuration/context.md). These environment variables can be created in two types: **plain** or **secret**.
+Spacelift allows for granular control of environment variables on your [Stacks](../../concepts/stack/README.md) either by setting [environment](../../concepts/configuration/environment.md) variables on a per-stack basis, or creating collections of variables as a [Context](../../concepts/configuration/context.md). These environment variables can be created in two types: **plain** or **secret**.
 
 {% if is_saas() %}
 
 ### Private Worker Pools
 
-Spacelift supports the ability to host the underlying compute resources that are accessing your codebase and executing your deployments, on your own infrastructure as a [Private Worker Pool](../concepts/worker-pools). This allows customers to optionally have full control over the security of their deployments. Furthermore, the image used by Spacelift private workers is [open source](https://github.com/spacelift-io/spacelift-worker-image){: rel="nofollow"}, giving customers full transparency into their private workers.
+Spacelift supports the ability to host the underlying compute resources that are accessing your codebase and executing your deployments, on your own infrastructure as a [Private Worker Pool](../../concepts/worker-pools). This allows customers to optionally have full control over the security of their deployments. Furthermore, the image used by Spacelift private workers is [open source](https://github.com/spacelift-io/spacelift-worker-image){: rel="nofollow"}, giving customers full transparency into their private workers.
 
 ### Access Private Version Control Systems
 
-For customers that have private-hosted version control systems such as on-premise installations of GitHub Enterprise, or [other VCS providers](../integrations/source-control/github.md), Spacelift provides the ability to access your on-premise VCS securely using [VCS Agent Pools](../concepts/vcs-agent-pools.md).
+For customers that have private-hosted version control systems such as on-premise installations of GitHub Enterprise, or [other VCS providers](../../integrations/source-control/github.md), Spacelift provides the ability to access your on-premise VCS securely using [VCS Agent Pools](../../concepts/vcs-agent-pools.md).
 
 A single VCS Agent Pool is a way for Spacelift to communicate with a single VCS system on your side. You run VCS Agents inside of your infrastructure and configure them with your internal VCS system endpoint. They will then connect to a gateway on our backend, and we will be able to access your VCS system through them.
 
@@ -46,7 +54,7 @@ Spacelift VCS Agent Pools utilize gRPC on HTTP2 for secure, high-performance con
 
 ### Policies
 
-Spacelift policies provide a way to express rules as code to manage your infrastructure as a code environment. Users can build policies to control Spacelift login permissions, access controls, deployment workflows, and even govern the infrastructure itself to be deployed. Policies are based on the [Open Policy Agent](https://www.openpolicyagent.org/){: rel="nofollow"} project and can be defined using its rule language _Rego_. You can learn more about policies [here](../concepts/policy/README.md).
+Spacelift policies provide a way to express rules as code to manage your infrastructure as a code environment. Users can build policies to control Spacelift login permissions, access controls, deployment workflows, and even govern the infrastructure itself to be deployed. Policies are based on the [Open Policy Agent](https://www.openpolicyagent.org/){: rel="nofollow"} project and can be defined using its rule language _Rego_. You can learn more about policies [here](../../concepts/policy/README.md).
 
 ## Responsible disclosure
 

docs/product/security/mfa.md

@@ -0,0 +1,45 @@
+# Multi-Factor Authentication (MFA)
+
+!!! info
+    Note that Multi-Factor Authentication is an Enterprise plan feature and is available only when SSO is enabled.
+
+With the introduction of IdP independent Multi-Factor Authentication (MFA), we extend our security capabilities to provide a robust and flexible authentication system. MFA at Spacelift is designed to protect your account and sensitive resources by requiring a second form of verification, adding a critical layer of security against unauthorized access.
+
+!!! warning
+    Before enabling MFA, consider to set backup credentials. This ensures that you can still access your account in the event of a lost security key or other unforeseen issues. You can find more about this in the [Backup Credentials](../../integrations/single-sign-on/backup-credentials.md) section.
+
+## Setting Up MFA for Your Account
+
+### Enable MFA
+
+Go to the _Personal settings_. Next, navigate to _Multi-factor authentication_. Here, you can add personal security keys that will be used for authentication.
+
+### Adding Security Keys
+
+- Click on the _Enable_ button to activate MFA.
+![](../../assets/screenshots/mfa/personal-settings-enable-mfa.png)
+- Follow the prompt to register your security key; you can name it for easy identification.
+- Once added, the key will appear in your list of security keys, complete with details like the key name, key ID, and creation date.
+
+### Deleting Security Keys
+
+You can remove a security key at any time. To delete, click the trash icon next to the key you wish to remove and confirm your action.
+
+## Setting Up MFA for Organization
+
+In order to manage MFA in your organization, please go to the _Organization settings_. Next, navigate to _Multi-factor authentication_.
+
+Admins can view and delete security keys for any user within the organization to maintain the organization's security integrity.
+
+![](../../assets/screenshots/mfa/organization-settings-mfa.png)
+
+### Enforce MFA
+
+Organization admins can enforce MFA across the organization to ensure that all users comply with the security standards. Enforcing MFA means every active user must have at least one registered security key.
+
+!!! warning
+    After MFA enforcement, existing sessions except for the current one will be invalidated. Users will be prompted to register their security keys during their next login session for continued access, please make sure they have FIDO2 complinant device to avoid lockout.
+
+### After Enforcing MFA
+
+Once MFA is enforced, all users must maintain at least one security key. The option to disable MFA (or delete all security keys) is disabled in _Personal settings_ for them. However, Admin always has the right to delete the user's key in the _Organization settings_.

docs/vendors/terraform/state-management.md

@@ -31,7 +31,7 @@ Terraform state. To keep things level, we'll also give you a reason not to.
 ### Don't
 
 1. We'll let you in on a little secret now - behind the pixie dust it's still Amazon S3 all the way down, and at this
-   stage [we store all our data in Ireland](../../product/security.md). If you're not OK with that, you're better off
+   stage [we store all our data in Ireland](../../product/security/README.md). If you're not OK with that, you're better off
    managing the state on your end.
 
 ## How it works

nav.self-hosted.yaml

@@ -168,7 +168,8 @@ nav:
           - product/administration/disaster-recovery.md
           - product/administration/slack-integration-setup.md
       - product/notifications.md
-      - product/security.md
+      - Security:
+        - product/security/README.md
       - product/migrating-to-spacelift.md
       - Support:
           - product/support/README.md

nav.yaml

@@ -165,7 +165,9 @@ nav:
       - integrations/teleport.md
   - 📖 Product:
       - product/notifications.md
-      - product/security.md
+      - Security:
+        - product/security/README.md
+        - product/security/mfa.md
       - product/migrating-to-spacelift.md
       - product/bulk-actions.md
       - Support: