Multi-factor authentication is mandatory on every Kovira account on every plan, including the free tier. SAML 2.0 single sign-on is included on every paid plan: Teams, Business, and MSP. There is no separate “Enterprise” tier whose only meaningful upgrade is the right to log in safely.
Two columns at a glance: what every Kovira account gets (the security baseline) and what an upgrade to a paid plan adds (the identity-provider contract).
Mandatory MFA on every account
TOTP authenticator-app support
MFA-aware password reset flow
SAML 2.0 single sign-on
Identity-provider metadata exchange
SSO-required enforcement (no email-and-password fallback)
Per-tenant SSO configuration (MSP)
Across the SaaS industry there is a long-running pattern: vendors put single sign-on behind a top-tier “Enterprise” plan, often at four to ten times the price of the tier immediately below it, and sometimes only available through a sales call. Multi-factor authentication shows up the same way on some platforms - off by default, or available only on paid tiers, or behind an “advanced security” add-on.
The argument for it is usually phrased in terms of cost: enterprise customers want SSO and will pay for it, smaller customers do not need it. But security is not a feature in the way reporting or branding is a feature. When SSO is gated, the predictable result is that smaller organisations - which are not less likely to be breached, only less able to absorb the cost - end up with weaker authentication than larger ones. The pricing model has shifted the security floor.
We are not naming names here. The pattern is well-documented, the criticism of it is well-rehearsed, and a community-maintained register exists for anyone who wants to see who does what. Our position is simpler: we want our pricing to differ on capacity rather than on whether the workspace is safe to log into.
Three positions that explain why MFA is mandatory on the free tier and SSO is included on the lowest paid plan.
An MFA-enforced account is not a premium feature. It is the minimum bar a multi-tenant platform should hold itself to in 2026. We do not believe a free user should be in a weaker security posture than a paying user simply because the price is zero.
Single sign-on is the modern identity contract: organisations want their identity provider to govern access, full stop. Charging four to ten times the next-tier price for that contract is a pricing decision dressed up as a security feature - and it makes the whole industry less secure by pushing teams off SSO for budget reasons.
Kovira's plans differ on capacity (seats, configuration items, agents, throughput) and on a small set of integration surfaces (Microsoft 365, multi-tenant workspaces). They do not differ on whether the platform itself is secure. The security model is the same shape on the free tier as on the MSP plan.
Both SSO and MFA are implemented against open standards so that they interoperate cleanly with whatever identity infrastructure you already have.
Common questions about how SSO and MFA work on Kovira.
Yes - and it is mandatory, not optional. Every account on every Kovira plan, including the free tier, requires multi-factor authentication on sign-in. There is no plan upgrade required to turn on MFA, and there is no option to turn it off.
Because optional MFA is not really MFA. If a single account on a workspace can opt out, that account becomes the weakest link, and the workspace is only as secure as the loosest credential. We removed the choice deliberately - every account, every plan.
All paid plans: Teams, Business, and MSP. Single sign-on uses SAML 2.0 so it works with Microsoft Entra ID, Okta, Google Workspace, OneLogin, JumpCloud, and any other identity provider that speaks SAML. The free tier uses email-and-password sign-in with mandatory MFA.
Honestly, because SSO meaningfully changes the integration burden on our side and we want the free tier to remain genuinely free without us having to claw it back somewhere. The free tier still has mandatory MFA on every account, so the security baseline is unchanged. SSO becomes available the moment you upgrade to any paid plan, starting at the lowest tier.
It's a pattern where SaaS vendors gate single sign-on behind their highest-tier (often "Enterprise") plan, frequently at a multiple of the price of the plan immediately below it. The result is that organisations have to choose between secure-by-design identity and a reasonable bill. We don't believe SSO should sit behind that wall, so we put it on the lowest paid tier.
SSO uses SAML 2.0, the industry standard for federated identity. MFA uses time-based one-time passwords (TOTP), compatible with any standard authenticator app such as Authy, Google Authenticator, 1Password, Microsoft Authenticator, or hardware tokens that emit TOTP codes.
On Teams, Business, and MSP plans, yes - workspace owners can require SSO for all members of a workspace, so individual accounts cannot fall back to email-and-password sign-in once SSO is configured for the organisation.
Once you are on a paid plan, an Owner can configure SAML 2.0 SSO from workspace settings. We provide the standard SAML metadata (entity ID, ACS URL, certificate) and accept identity provider metadata back. The setup is the standard SAML round-trip; no professional services engagement required.
Kovira is launching soon with mandatory MFA on the free tier and SAML 2.0 SSO on every paid plan.