> ## Documentation Index
> Fetch the complete documentation index at: https://docs.mindfort.ai/llms.txt
> Use this file to discover all available pages before exploring further.

# Dual Credentials

> Learn how to run dual-credential assessments with two stored accounts to test IDOR, broken access control, and privilege boundaries between users.

## What Dual Credentials Are For

Dual credential mode lets a red-team assessment use two stored accounts for the same target. This helps MindFort test whether one authenticated user can access data or actions that should belong to another user.

Use dual credentials when you want coverage for:

* IDOR and broken object-level authorization
* role bypass and privilege boundary issues
* cross-user data access
* tenant or account isolation problems

## Before You Start

Add at least two stored credentials to the target. The credentials should represent the access boundary you want tested, such as two standard users, a standard user and an admin, or users from different accounts or tenants.

For credential setup details, see [Authentication & Credentials](/guides/authentication-credentials).

## Run With Dual Credentials

<Steps>
  <Step title="Open New Assessment">
    Start a new assessment and select the target you want to test.
  </Step>

  <Step title="Enable dual credential mode">
    In **Credentials**, turn on **Dual credential mode**. This option is available after the target has at least two stored credentials.
  </Step>

  <Step title="Select two accounts">
    Choose the primary credential and the secondary credential. MindFort uses both accounts to compare what each user can access.
  </Step>

  <Step title="Start or schedule the assessment">
    Run the assessment immediately or configure a recurring schedule. Scheduled assessments keep the selected primary and secondary credentials.
  </Step>
</Steps>

## Choosing Credential Pairs

Choose accounts that make authorization failures easy to detect:

* Two regular users with separate data sets
* A low-privilege user and a higher-privilege user
* Users from different organizations, workspaces, or tenants
* Accounts with intentionally different feature access

Avoid using personal or production admin accounts. Dedicated test accounts give the clearest results and reduce risk.

## Related Guides

* [Targets](/guides/targets)
* [Authentication & Credentials](/guides/authentication-credentials)
* [Assessments](/guides/assessments)
