Multi-Factor Authentication
Add a second layer of login verification to protect against stolen credentials.
Available MFA Methods
| Method | How It Works | Edition |
|---|---|---|
| SMS OTP | One-time code sent to user's registered phone | All |
| Email OTP | One-time code sent to user's email | All |
| New Device Check | Extra verification when logging in from a new device | All |
| TOTP (Authenticator App) | Time-based codes from Google Authenticator / Authy | Pro+ |
Enabling MFA
- Go to Admin Console → Settings → Security → MFA
- Choose your preferred MFA method(s)
- Set the enforcement scope: All Users, Specific Groups, or Administrators Only
- Configure the grace period for existing users (e.g., 7 days to enroll)
- Save and publish
New-Device Verification
When enabled, users logging in from an unrecognized device must complete an additional verification step. The device is then added to their trusted device list.
- Admins can view and revoke trusted devices per user
- Useful for detecting unauthorized access without requiring MFA on every login
✅ Enabling at minimum the new-device check is recommended for all deployments. It catches most account-sharing and unauthorized access attempts.