MFA - Multi-Factor Authentication for Your SSO with PayPal
Note
This guide applies to U.S. business accounts using Single Sign-On (SSO) with PayPal. Merchants are required to enforce MFA for their users and must pass a SAML assertion to log in.
What is MFA, and why is it Important?
Multi-Factor Authentication (MFA) is a security requirement for connecting to PayPal through SSO. It ensures that users confirm their identity using at least two independent types of proof:
- Something you know (Knowledge): for example, password, PIN, security question
- Something you have (Possession): for example, an authenticator app, YubiKey, a mobile phone
- Something you are (Inherence): for example, fingerprint, facial recognition, voice ID
If your SAML response does not contain two valid MFA factors, PayPal Braintree reserves the right to reject the login to comply with regulatory and industry security standards.
The SAML assertion must include an amr
field ("authentication method reference") with values of mfa
and pwd
.
Steps by Identity Provider
Okta
1. Enforce MFA for the App
- In the Okta Admin Console, go to: Security → Authentication Policies
- Assign or create an authentication policy that requires MFA for your SAML application.
- Attach the policy to your custom or OIN SAML app integration.
2. Add the Dynamic amr Attribute Statement
- In your SAML app integration, go to the General tab.
- Scroll to SAML Settings and select Edit.
- Select Next until you reach the Attribute Statements (Optional) section.
- Add a new attribute statement:
- Name: amr
- Name format: Unspecified
- Value: session.amr
- Save your changes.
OneLogin
1. Enforce MFA for the Braintree SSO App
- Go to Security → Policies.
- Create or modify your policy for users of the Braintree SSO app.
- Under Authentication Factors, select the required MFA methods (for example, OTP, push, and so on).
- Assign this policy to all users/groups who will access Braintree.
2. Add the amr Attribute
- Open the Parameters tab in your Braintree SSO app’s setup in OneLogin.
- Select Add Parameter.
- Name: amr
- Value: mfa
- Ensure Include in SAML assertion is selected.
With MFA enforced for all users, the SAML response will always include amr: mfa
when access is attempted.
Microsoft Entra
- Microsoft passes MFA attributes by default.
- Ensure you’ve set up a conditional access policy on the Braintree SAML app in Entra that only allows access to MFA-enabled users.
Example Attribute:
<Attribute Name="http://schemas.microsoft.com/claims/authnmethodsreferences">
<AttributeValue>
http://schemas.microsoft.com/ws/2008/06/identity/authenticationmethod/password
</AttributeValue>
<AttributeValue>
http://schemas.microsoft.com/ws/2008/06/identity/authenticationmethod/phone
</AttributeValue>
<AttributeValue>
http://schemas.microsoft.com/claims/multipleauthn
</AttributeValue>
</Attribute>
Other Identity Providers
- If you do not use Okta or Microsoft Entra, check with your Identity Provider to add the
amr
attribute in the SAML response. - Braintree will not allow users to log in unless the SAML response contains the
amr
attribute with bothmfa
andpwd
values.
Accepted pattern by Braintree:
<Attribute Name="amr">
<AttributeValue>pwd</AttributeValue>
<AttributeValue>mfa</AttributeValue>
</Attribute>