Enabling and Configuring Two-Factor Authentication
Two-Factor Authentication (2FA) adds a second verification step to user sign-in. After entering their username and password, users confirm their identity with a one-time code from an authenticator app, an SMS, or an email. 2FA significantly reduces the risk of account takeover from leaked or guessed passwords.
Magentrix supports three verification methods (Authenticator App, Email, SMS), two enforcement modes (every login or risk-based), and a complete admin enrollment-management surface for resetting users who lose access. This page covers the settings configuration. For the admin enrollment-management workflow, see Managing User MFA Enrollments.
Requirements
- Administrator System Role.
- For SMS verification: an active SMS provider Integration record.
- For Email verification: a working email configuration on the portal.
- For Authenticator App verification: users install a standard TOTP app such as Google Authenticator, Microsoft Authenticator, or Authy on their device.
Where 2FA Settings Live
Two-Factor Authentication settings are at Setup > Security Settings > Two-Factor Authentication. The page has three tabs: Settings, Overview, and User Management.
Enforcement Modes
Choose how often users are prompted for a second factor:
| Mode | Behavior | When to Use |
|---|
| Enforce only for unrecognized devices (Risk-Based) | Users are prompted for a second factor when signing in from a device or browser the platform doesn't recognize. The platform evaluates the request against stored cookies and the user's historical IP address; if either matches a previous trusted sign-in, 2FA is bypassed. | Balances security with user convenience for everyday partner and customer portals. |
| Enforce for every login | Users are prompted for a second factor on every sign-in, regardless of device. | High-security environments, regulated industries, or any portal handling sensitive data. |
Verification Methods
Administrators choose which of the three verification methods are available to users. Users can pick from the allowed methods during their enrollment or sign-in.
| Method | How It Works | Requirements |
|---|
| Authenticator App | The user installs a TOTP authenticator app (Google Authenticator, Microsoft Authenticator, Authy, etc.) and pairs it with the portal by scanning a QR code. On each sign-in, the user enters the rotating 6-digit code from the app. | User installs a standard TOTP app. No additional portal configuration. Most secure of the three methods. |
| Email | The platform emails a one-time code to the user's email address on file. The user enters the code from the email. | Working email configuration on the portal. User has access to their email inbox. |
| SMS | The platform sends a one-time code to the user's mobile phone via SMS through a configured SMS provider Integration. | SMS provider Integration record (e.g., Twilio). User has a phone number on their profile. |
Settings Reference
| Setting | What It Controls |
|---|
| Enable Two-Factor Authentication (master toggle) | Turns 2FA on or off for the entire portal. When off, no users are prompted regardless of the other settings. The master toggle lives at the top of the page. |
| Enforcement Mode | Enforce only for unrecognized devices, or Enforce for every login. See the table above. |
| Allow Authenticator App | When on, users can enroll an authenticator app (TOTP). Required if Default Method is Authenticator App. |
| Allow Email Verification | When on, users can receive codes by email. On by default. |
| Allow SMS Verification | When on, users can receive codes by SMS. Requires an SMS provider Integration. Off by default. |
| Default Method | The method users see first when prompted: Authenticator App, Email, or SMS. Users with multiple allowed methods can pick a different one if Allow Fallback Methods is on. |
| Allow Fallback Methods | When on, users who cannot use their default method (e.g., lost authenticator device) can fall back to another allowed method. When off, users must use the default method. |
| Authenticator Enrollment | Optional — users can enroll an authenticator app but aren't required to. Required — users with Authenticator App allowed are required to enroll on next sign-in. |
| Security Code Timeout | How long a code remains valid before the user must request a new one. Options: 2 minutes, 5 minutes, 15 minutes, 30 minutes, 60 minutes, 4 hours, 12 hours. Default: 4 hours. |
| Maximum Invalid Attempts | Number of incorrect code entries before the user is locked out. Options: 3, 5, 10, No Limit. Default: 3. |
| Resend Limit | Maximum times a user can request a new code per session. Options: 3, 5, No Limit. Default: No Limit. Useful to prevent SMS or email cost abuse. |
| SMS Provider | Reference to the SMS provider Integration record used when Allow SMS Verification is on. Required when SMS is enabled. |
Configure 2FA Step-by-Step
- From the Setup home page, go to Security Settings > Two-Factor Authentication.
- Toggle Enable Two-Factor Authentication on.
- Choose the Enforcement Mode: Enforce only for unrecognized devices (default, balanced) or Enforce for every login.
- Select which Verification Methods users can use: Authenticator App, Email, SMS, or any combination. At least one must be enabled.
- If SMS is enabled, select the SMS Provider Integration record.
- Set the Default Method to the verification method most users should see first. The choices are limited to the methods you enabled.
- Choose Allow Fallback Methods if users should be able to pick a different allowed method when the default isn't available.
- Set Authenticator Enrollment to Required if you want to force authenticator-app enrollment on next sign-in (only meaningful when Allow Authenticator App is on).
- Set Security Code Timeout, Maximum Invalid Attempts, and Resend Limit to match your security and cost policies.
- Click Save.
After saving, users with the next sign-in are subject to the configured 2FA flow. Existing sessions remain valid until they expire or sign out.
User Enrollment Flow
Once 2FA is enabled:
- A user signs in with their username and password.
- If the enforcement mode and device-history evaluation determine 2FA is required, the user is prompted to verify with the Default Method.
- If Authenticator App is the default and the user hasn't enrolled yet, the system shows the enrollment screen: the user scans a QR code with their authenticator app, then confirms by entering a code from the app.
- Once verified, the system optionally issues backup codes the user can save for emergency use (e.g., when they lose their authenticator device).
- The user is taken to their portal landing page.
End users see only the methods you enabled. The enrollment UI and the codes are managed by the Iris user-facing 2FA module — admins don't need to do anything to support enrollment beyond the configuration on this page.
Backup Codes
When users enroll an authenticator app, the platform issues a set of one-time backup codes. Each code can be used once to sign in if the user loses access to their authenticator device. Users can view and regenerate their backup codes from their portal profile. Administrators can also see who has low or no backup codes from the Overview tab on the 2FA settings page.
Overview Tab
The Overview tab on the 2FA settings page shows real-time adoption metrics:
- Enrollment rate — percentage of active users who have completed 2FA enrollment.
- Status breakdown — counts of enrolled, pending, and not-started users.
- Backup codes health — counts of users with low or zero remaining backup codes.
- Recent enrollments — users who completed enrollment in the recent period.
- Roles without 2FA — Security Roles whose users have not enrolled, for compliance reporting.
Permissions and Access
- 2FA Settings page: admin-only.
- User-side enrollment: every authenticated user with access to the portal. The enrollment flow is automatically presented when 2FA is enabled and the user's next sign-in requires it.
- Admin User Management tab (reset enrollment, regenerate backup codes): admin-only. See Managing User MFA Enrollments.
Troubleshooting Tips
- If users don't see the 2FA prompt after enabling, confirm Enable Two-Factor Authentication is on and at least one verification method is allowed.
- If SMS codes aren't arriving, confirm the SMS provider Integration is healthy and the user has a phone number on their profile.
- If a user is locked out after too many invalid attempts, reset their enrollment from the User Management tab. See Managing User MFA Enrollments.
- For full symptom-by-symptom resolutions, see Two-Factor Authentication Troubleshooting.
Where to Go Next
Two-Factor Authentication Checklist >>