clarify MFA for team use case (#1576)

kunisen · shainaraskas · web-flow · commit cc85bf35a741 · 2025-06-03T04:47:40.000Z
## Description Clarify MFA for team use case by making it clear that the only secure and recommended way is to add members to the organization. ## Background & Motivation Background is per elastic/sdh-control-plane#9470 (comment) and elastic/support-tech-lead#1564, which I had with @brunofarache internally that we should clarify the docs to make it clear that the only recommended way is to add members to the org. ## Before / After PR merged :: Before https://www.elastic.co/docs/cloud-account/multifactor-authentication <img width="1501" alt="image" src="https://github.com/user-attachments/assets/60b6ea51-d18f-4837-9031-803e7ec4e822" /> :: After Orange part will show up. ![image](https://github.com/user-attachments/assets/d18617f5-a737-44f4-a229-591067b57280) --------- Co-authored-by: shainaraskas <58563081+shainaraskas@users.noreply.github.com>
diff --git a/cloud-account/multifactor-authentication.md b/cloud-account/multifactor-authentication.md
@@ -99,17 +99,7 @@ No, the Elastic Cloud default MFA enforcement does not apply when selecting **Lo
 
 **My team uses a generic account or distribution/mailing list and shares the password to access Elastic Cloud. How will my team be able to log in and access our Elastic Cloud organization after the MFA enforcement?**
 
-There are ways to work around the limitations of generic account access, but the more secure approach is to use one Elastic account for each Elastic Cloud user.
-
-You can explore the following workarounds:
-
-* Grant your team members access to that account’s Elastic Cloud organization by inviting and making them organization members. This may involve creating additional Elastic user accounts for each team member, depending on their organization access and ownership needs since we have yet to support multi-organization membership. When each team member has their own account to access your Elastic Cloud organization, they will be able to set up their own MFA  method.
-* Use the email MFA method, assuming all of your team members have access to the generic account or distribution list’s mailbox.
-* Keep using the generic account to log in and set up multifactor authentication [using an authenticator app](#ec-account-security-mfa-authenticator).
-
-  During the setup, take a photo of the QR code, or note its numeric version, and share it across your team. This code is sensitive and should be stored and shared securely. For example, it should be stored in an encrypted place using a secure algorithm such as AES-256, and transmitted over a secure encrypted channel such as TLS 1.3.
-
-  This QR code is the "base" number used by the Authenticator app to generate codes based on the current time. There is no danger of synchronization issues. However, there is risk of a breach if the QR code picture or number is compromised.
+The only secure and recommended approach is to use one Elastic account for each {{ecloud}} user. You can grant your team members access to that account’s {{ecloud}} organization by inviting and making them organization members. This may involve creating additional Elastic user accounts for each team member, depending on their organization access and ownership needs, because Elastic does not support multi-organization membership. When each team member has their own account to access your {{ecloud}} organization, they will be able to set up their own MFA method.
 
 
 **After I set up an MFA method, will I need to answer an MFA challenge every time I authenticate through Elastic Cloud?**
