Enabling Two-Factor Authentication
Enhance your organization's security by requiring two-factor authentication (2FA) for all users.
What is 2FA?
Two-factor authentication requires users to provide two forms of identification:
- Something they know: Password
- Something they have: Phone with authenticator app
Enabling 2FA for Your Organization
For Individual Users
Users can enable 2FA for themselves:
- Go to Profile → Security
- Click Enable Two-Factor Authentication
- Scan QR code with authenticator app:
- Google Authenticator
- Microsoft Authenticator
- 1Password
- Authy
- Enter 6-digit code to verify
- Save backup codes securely
For All Users (Organization-Wide)
Require 2FA for everyone:
- Go to Settings → Security
- Enable Require 2FA for all users
- Set grace period (e.g., 7 days for users to set up)
- Click Save
What happens:
- Existing users prompted to set up 2FA on next login
- New users must set up 2FA during activation
- Users without 2FA cannot log in after grace period
Phased Rollout
Recommended approach to minimize disruption:
Week 1: Administrators
- Enable 2FA for admin accounts
- Verify no issues
- Document the process
Week 2: Managers
- Notify managers about upcoming 2FA requirement
- Provide setup instructions
- Enable 2FA requirement for manager group
Week 3-4: All Users
- Announce to all users
- Provide training and support
- Enable organization-wide 2FA
- Set 7-day grace period
Backup Codes
Users receive 10 single-use backup codes when setting up 2FA.
Users should:
- Save codes in password manager
- Print and store securely
- Use only if they lose access to authenticator app
Administrators can:
- View if user has generated backup codes
- Cannot see the actual codes (security)
- Can reset 2FA if user loses access
Managing 2FA
Viewing 2FA Status
See which users have 2FA enabled:
- Go to Users
- Add 2FA Status column
- Filter by "2FA Enabled" or "2FA Disabled"
Resetting User's 2FA
If a user loses access to their authenticator app:
- Verify user identity (call, video, etc.)
- Go to Users → Select user
- Click Reset 2FA
- User must set up 2FA again on next login
Security
Only reset 2FA after verifying identity through alternate channel.
Best Practices
- Phased rollout: Start with admins, then all users
- Communication: Announce well in advance
- Support: Prepare help desk for questions
- Documentation: Provide clear setup instructions
- Testing: Test the process before organization-wide rollout
Troubleshooting
Code doesn't work:
- Ensure device time is synchronized
- Use the latest code (expires every 30 seconds)
- Try backup code
Lost authenticator app:
- Contact administrator for 2FA reset
- Use backup code if available
- Set up new authenticator after reset
User locked out:
- Administrator can reset 2FA
- User sets up 2FA again
- Generate new backup codes
Next Steps
- Security Concept - Overall security practices
- Authentication - Other auth methods