Skip to main content

How to enforce Two Factor Authentication (2FA)

This article describes how to set up enforcement policies for 2FA for an organisation.

Updated over 3 months ago

Enforcing two-factor authentication (2FA) is a critical step to bolster your organization's security against unauthorized access and credential theft. This guide outlines the steps to implement a company-wide 2FA policy, including setting an enforcement date, a grace period for user enrollment, and a lockout window for those who don't comply.

Step 1: Set Your Enforcement Date

The enforcement date is the official start of your 2FA policy. After this date, all users will be required to set up 2FA to continue accessing their accounts. It's crucial to give your team ample notice to prepare for this change. We recommend communicating the upcoming change to your staff at least two to four weeks in advance.

To set your enforcement date:

  1. Navigate to the Org Settings section of your admin dashboard.

  2. Find the Require Two-Factor Authentication (2FA) option.

  3. Select Enable 2FA and choose a specific date from the calendar.

Step 2: Configure the Grace Period

The grace period is a crucial window of time that begins after your enforcement date. During this period, users who have not yet enabled 2FA will be prompted to do so every time they log in. They will not be able to proceed to their account dashboard until they complete the 2FA setup. This ensures that every user is aware of the new requirement and has time to comply without being immediately locked out.

To set your grace period:

  1. In the same 2FA settings menu, locate the Grace Period field.

  2. Enter the number of days you want the grace period to last. A typical grace period is 7 to 14 days, providing enough time for users to set up 2FA without delaying the security benefits.

Step 3: A 48 hr Pre-Lockout Window

After the grace period ends, a pre-lockout window begins. During this 48-hour period, users who still haven't enabled 2FA will receive a final notice. The system will send out automated email and in-app notifications, reminding them that they will be locked out of their accounts if they don't comply within the next 48 hours. This is the last chance for users to avoid being locked out.

Step 4: Choose Your Target Audience

You can apply the 2FA enforcement policy to all users in your organization or omit staff accounts. Many organizations choose to exclude staff accounts from this policy due to shared phones or other constraints for lower-permission users.

To select your target audience:

  1. Look for the Include Staff Accounts option in the 2FA settings.

  2. Choose to apply the policy to Staff Accounts or not.

What Happens Next?

  • Before the enforcement date: Users who log in will be notified that they will need to set up 2FA in the future.

  • During the grace period: Users who log in without 2FA will be forced to complete the setup process.

  • During the pre-lockout window: Users who still haven't set up 2FA will receive final notices.

  • After the pre-lockout window: Non-compliant users will be locked out of their accounts. An administrator will need to manually intervene and help them enable 2FA to regain access.

Enforcing 2FA is a simple yet powerful way to secure your organization's data. By following these steps, you can ensure a smooth transition for your team and significantly reduce your risk of a security breach.

Did this answer your question?