Details of the MFA/SSO requirement

Starting February 1, 2026, Medallia has started to require enhanced security protections for all Mindful Callback clients, specifically the use of single sign-on (SSO) or multi-factor authentication (MFA) for Medallia-hosted user accounts. We are making these changes to further protect our customers in response to a changing security landscape.

Client programs that currently have not implemented either SSO or MFA must have one of them implemented by November 1, 2026.

Frequently asked questions

Why is Medallia requiring this now?

We continuously evaluate our security policies in light of emerging threats and industry best practices. The number of public credential leaks, password reuse incidents, and automated credential-stuffing attacks continues to rise across all industries. We strongly believe that this is the right move to protect our clients’ businesses.

The use of SSO and MFA have been Medallia's long-standing recommendation listed in our IT Playbook and product documentation portal. Many Medallia clients already use both technologies successfully.

To which Medallia products does this policy apply?

We will implement this policy across all of our products. Clients should take the opportunity to review their practices with their Medallia account team.

What is SSO?

SSO is a federated user authentication process that lets client-hosted IT systems authenticate a user and verify their validity with Medallia.

In practice, SSO links user authentication directly to human resource information systems (HRIS). For example, an employee's access to Mindful Callback ends immediately when the employee is marked as "terminated" in the HRIS.

Mindful Callback supports SAML 2.0 and OIDC as SSO protocols.

What is MFA?

MFA requires a user to verify their access to Mindful Callback using both a password and an out-of-band passcode. This ensures that even if a user’s password is compromised, the passcode remains secure and unauthorized access to Mindful Callback is restricted.

Mindful Callback directly provides support for MFA when a user account is logging in directly. Mindful Callback MFA support is only used for non-SSO-authenticated users. Clients may implement MFA via their SSO mechanisms within the client IT infrastructure, but this is out of scope of our MFA support.

Mindful Callback supports authenticator applications via industry-standard QR code flows.

How do I implement SSO and/or MFA on my program?

Coordinate with your Medallia Professional Services team, Partner administrator, or Medallia Support if you have further questions.

By when must these be implemented?

SSO and/or MFA must be enabled on all client programs no later than November 1, 2026. We encourage clients to prioritize and finish this project earlier than that date.

If not set prior to the deadline, MFA will be enabled for all roles and users automatically.