Skip to content
  • There are no suggestions because the search field is empty.

Mandatory MFA for Users

This article explains how the Mandatory Multi-Factor Authentication (MFA) setting works, who can manage it, and what your users will experience when it is enabled.

Mandatory MFA is a security setting that requires all users in a company to enable Multi-Factor Authentication on their accounts. When this setting is turned on, users must configure MFA before they can access the app.

MFA adds an extra layer of protection by requiring something the user knows (their password) plus something they have (a one-time code) to log in.

Who can enable or disable Mandatory MFA?

Only admins with the Owner role or MSP admins can manage this setting for a company. All changes to this setting are logged in the Audit Log.

Once an Owner enables Mandatory MFA:

  1. All users will be required to set up MFA the next time they sign in (or immediately, if prompted).

  2. Until MFA is configured, users will not be able to access the app.

  3. Exception:

    1. If a user is also an **admin of any company**, they will still retain access to the **admin portal**, even if they have not yet configured MFA.

    2. This allows admins to continue managing company settings and users while the rollout is in progress.

     

Available MFA methods

Users can choose between two MFA methods:

  • Email OTP (One-Time Password) - A one-time code is sent to the user’s registered email address. The user must enter this code during login to complete authentication.

  • Authenticator App - The user links an authenticator app (such as Google Authenticator, Microsoft Authenticator, or similar). The app generates time-based verification codes that the user must enter at login.

Users can select the method that best fits their needs, following the on-screen instructions during setup.

Disabling Mandatory MFA

Owners can disable the mandatory MFA requirement at any time from the company settings. If it's disabled, users are no longer required to have MFA enabled to access the app. However, any MFA configurations that users already set up remain on their accounts, unless they individually change their MFA settings.

Audit logging

Every action related to mandatory MFA is tracked in the Audit log page for accountability and compliance, including:

  • When an Owner enables Mandatory MFA.

  • When an Owner disables Mandatory MFA.

  • When a user configures or changes their MFA method.

You can also see from the Users' Roster, which users have enabled MFA by looking at the 2FA column.

If the company has Single Sign-On (SSO) enabled, then Mandatory MFA cannot be enabled.

Learn more about the Multi-Factor Authentication feature here: https://knowledge.symbolsecurity.com/two-factor-authentication