DOC-457 Cloud user auth MFA (#420)

* DOC-457 Cloud user auth MFA

* minor edit

* edits from review

* Change 2FA to MFA

* clarify QR code only on initial setup

* Update modules/security/pages/cloud-authentication.adoc

Co-authored-by: Kat Batuigas <[email protected]>

* Update modules/security/pages/cloud-authentication.adoc

Co-authored-by: Kat Batuigas <[email protected]>

---------

Co-authored-by: Kat Batuigas <[email protected]>

Author: micheleRP

modules/get-started/pages/whats-new-cloud.adoc

@@ -8,6 +8,10 @@ This page lists new features added to Redpanda Cloud.
 
 == September 2025
 
+=== Multi-factor authentication
+
+Enable multi-factor authentication (MFA) to add an extra layer of security to your Redpanda Cloud account. After you enable MFA, you'll enter your credentials, then be prompted for a one-time code from your authenticator app when you log in. Administrators can also xref:security:cloud-authentication.adoc#multi-factor-authentication-mfa[enforce MFA] for all members of an organization.
+
 === Redpanda Cloud MCP Server: beta
 
 Connect AI assistants like Claude directly to your Redpanda Cloud account with the new xref:ai-agents:mcp/local/overview.adoc[Redpanda Cloud MCP Server]. This local server provides AI tools for managing clusters, topics, and other cloud resources through natural language commands.

modules/security/pages/cloud-authentication.adoc

@@ -70,12 +70,41 @@ Users with an email address with that realm (domain) can now access your Redpand
 
 ===== Tips for Integrating Entra ID
 
-If users are repeatedly prompted for consent or cannot sign in:
+If users are repeatedly prompted for consent or cannot log in:
 
 * Ensure the app is configured as Web with the exact Redirect URI from Redpanda Cloud.
 * Remove any extra API permissions (for example, `Microsoft Graph: User.Read`).
 * Avoid adding non-standard claims or scopes.
 
+=== Multi-factor authentication (MFA)
+
+Improve account security by requiring a second verification step when logging in to Redpanda Cloud. Redpanda Cloud supports time-based one-time passwords (TOTP) using an authenticator app (for example, Google Authenticator, Microsoft Authenticator, 1Password). You can enable MFA for your own account, and organization administrators can enable MFA for all members of the organization.
+
+During the initial MFA setup, after entering your login credentials, you're prompted to scan a QR code to get a TOTP code from an authenticator app. Enter that 6-digit code to access Redpanda Cloud. Subsequent logins also require entering a TOTP code, but you can choose to remember the device to skip the MFA prompt on that device for the next 30 days.
+
+As part of the initial setup, you're also prompted to save a separate recovery code. Keep the recovery code offline and secure. You can use that recovery code to regain access to Redpanda Cloud, if necessary (for example, if your phone is lost). 
+
+==== Enable MFA (individual users)
+
+Users can enable MFA for their own accounts.
+
+. In the Cloud UI, select your profile avatar and choose *Manage user*.
+. Open the *Security* tab.
+. Click *Enable* to set up multi-factor authentication.
+
+==== Enforce MFA (organization admins)
+
+Administrators can require MFA for all users in an organization.
+
+. In the Cloud UI, go to *Organization IAM*.
+. Open the *MFA* tab.
+. Click *Enable* to require MFA for all members of this organization.
+
+==== Troubleshooting
+
+* *New phone or lost access:* If you can't access your authenticator app, select to try another access method and enter your recovery code. 
+* *TOTP code not accepted:* Ensure the code hasn't expired and that your phone's time is set automatically; time drift can cause invalid codes.
+* *Remembered device prompts again:* The 30-day trust is device- and browser-specific. Clearing cookies, switching browsers, or using a new device requires re-verification.
 
 == Service authentication