MFA registration fails when using OIDC/SSO authentication

Last updated: December 19, 2025

If you're seeing a "Key registration failed. Please try again" error when trying to enable MFA (Multi-Factor Authentication) in Spacelift, this is likely because your account is configured to use OIDC/SSO authentication.

Why this happens

When your Spacelift account uses OIDC/SSO authentication, the authentication process is handled entirely by your external OIDC provider. Spacelift's internal MFA system cannot be used with SSO setups, which is why you'll see the "registration failed" message when attempting to enable MFA within Spacelift.

Solution

To enable MFA for your Spacelift account when using OIDC/SSO:

  1. Log into your OIDC provider's identity management system (such as Azure AD, Okta, or Google Workspace)

  2. Enable MFA within your OIDC provider's settings

  3. Configure the MFA settings according to your provider's documentation

This approach ensures your Spacelift login is protected by MFA while remaining fully compatible with your SSO configuration. The MFA challenge will occur during the SSO login process before you're redirected to Spacelift.

Additional notes

If you have both SSO and non-SSO user accounts with the same email address, make sure you're logging in through the correct authentication method. The MFA restriction only applies to accounts using OIDC/SSO authentication.