Open

Add MFA/2FA/Passkey Support for FME Flow Local System Accounts

Related products:FME Flow

Forum|Forum|6 months ago
May 30, 2025
6 replies
106 views

rsun
Contributor

[A Message from Product Management at Safe Software] This idea has been refined from its initial posting. The original description is preserved below for reference.

The built-in “admin” user account in FME Flow lacks support for modern multi-factor authentication (MFA), including 2FA or passkey-based login. This poses a security risk, especially in environments where organizations rely on local accounts as a fallback when identity providers like Microsoft Entra ID (formerly Azure AD) are unavailable.

This idea proposes adding support for MFA/2FA/Passkeys to FME Flow’s local system accounts. This is critical for scenarios where SAML, LDAP, or Entra ID integrations fail or are temporarily offline, leaving only the local admin account as an option for access.

Dear All,
I would like to see FME Flow provide native built-in feature to allow users to run FME Schedule or default Dashboards -→ JobHistoryStatisticsGathering.fmw use Microsoft Entra SSO (FME) SAML-based admin accounts.
We purposefully disable local “admin” users, since FME Flow doesn't provide 2FA/MFA option for local users but set it up to use Microsoft Entra SSO (SAML) with mandatory 2FA.
Your support is appreciated :)
Cheers,
Reno

+14

rylanatsafe
Safer
Forum|Forum|3 months ago
September 16, 2025

Hi @rsun , thank you for sharing this idea! Looking at the FME workspace JobHistoryStatisticsGathering.fmw (configured in the DashboardStatisticsGathering schedule), I see that the credentials in the Parameters (as shown in your screenshot) are ultimately passed into an HTTPCaller hitting an FME Flow REST API endpoint. Based on that, I understand your request as essentially asking for Microsoft Entra ID authentication support for Flow REST API endpoints.

Could you confirm if that’s correct? If not, or if there are additional use cases you’d like us to consider, I’d love to hear them so we can make sure we’re tracking and prioritizing the right requirement.

Upvote

rsun
Author
Contributor
Forum|Forum|3 months ago
September 16, 2025

Hi @rylanatsafe,

Thank you for asking about this request. First of all, I love using FME Form and Flow.
I had a chat with FME’s FME Flow Technical Support Lead previously about why I would like to be able to use Entra IDP to log on to FME Flow. It is because that FME Flow “admin” account doesn’t have “2FA/MFA/Passkey” functionality to be protected properly. We also talked about risk of disabling the “admin” account (local account) and use Entra only...is when Entra is down...we are screwed lol.

So...I will say focus on building 2FA/MFA/Passkey for FME Flow local account is very critical for cybersecurity.

We stop using SAML now, but only use Entra IDP.

Many thanks!

Reno

Upvote

+14

rylanatsafe
Safer
Forum|Forum|2 months ago
September 22, 2025

@rsun after discussing this idea with some colleagues here at Safe, I’d like to refine it a bit. I think that the core request to track is providing a way to secure FME Flow “System” User Accounts (like the built-in admin) with 2FA/MFA/Passkeys.

I understand your point—if SAML/AD/Entra ID access ever breaks, the lack of stronger protection on the built-in account becomes both a security gap and a lockout risk.

Let me know if that sounds OK and I can update the idea title and description.