Two-Factor Authentication Checklist

Use this checklist to roll out Two-Factor Authentication end to end. Configuration lives at Setup > Security Settings > Two-Factor Authentication. Each step links to a detailed article.

Plan

☐ Decide enforcement scope. Will 2FA apply to every login, or only to unrecognized devices? Risk-based mode is the right default for partner / customer portals; every-login is the right default for internal admin or compliance-driven portals.

☐ Choose verification methods. Pick at least one. Authenticator App is the most secure; Email is the lowest-friction; SMS requires an SMS provider but is convenient when users don't use email regularly.

☐ Decide on enrollment policy. Will users be required to enroll the Authenticator App on next sign-in, or is enrollment optional?

☐ Communicate the change in advance. 2FA introduces a sign-in change for every user. Email partners and internal teams a few days before turning it on, with screenshots and the link to your selected authenticator app of choice.

Configure Settings

☐ Enable and configure 2FA Toggle on the master switch, choose enforcement mode, enable verification methods, pick the default method, and set timeout / attempt / resend limits.

☐ Configure SMS provider (if SMS is enabled). Confirm the SMS provider Integration record is healthy and selected on the 2FA settings page.

☐ Set Authenticator Enrollment policy. If you want users to be forced to enroll Authenticator App on next sign-in, set Authenticator Enrollment to Required.

Test

☐ Test as an internal user. Use Login As or a test admin account to sign in and walk through the 2FA flow for each enabled method.

☐ Test the Authenticator App flow end to end. Scan the QR code with Google Authenticator or Microsoft Authenticator, confirm the code, save backup codes, sign out, sign back in.

☐ Test fallback behavior. If Allow Fallback Methods is on, simulate "lost authenticator" by picking a different method during sign-in and confirm the flow works.

☐ Test the recovery flow. As an admin, reset a test user's enrollment from the User Management tab, then sign in as that user to confirm they are re-prompted to enroll. See Managing User MFA Enrollments.

Roll Out

☐ Announce the change. Tell users the date 2FA goes live, what to expect, which authenticator apps you recommend, and what to do if they get stuck (typically: contact their account manager or the help desk).

☐ Stage the rollout if you have many users. Consider enabling 2FA for internal users first, then partner users, then customer users. Use Login As to verify each Role's experience.

☐ Monitor the Overview tab in the first few days for enrollment rate, backup-code health, and Roles without 2FA. Address gaps proactively.

Maintain

☐ Reset enrollments for users who lose their authenticator device Use the User Management tab on the 2FA settings page to reset a user's enrollment so they can re-enroll on next sign-in.

☐ Watch backup-codes health. The Overview tab highlights users with low or zero remaining backup codes. Reach out before they lock themselves out.

☐ Periodically review Roles without 2FA. Confirm exclusions are intentional (e.g., legacy service accounts) and not just unenrolled users who missed the rollout.

If You Run Into Issues

☐ Two-Factor Authentication Troubleshooting Symptom-by-symptom resolutions for lockouts, codes not arriving, QR code scan failures, backup-code exhaustion, and fallback issues.

<< Enabling and Configuring Two-Factor Authentication | Managing User MFA Enrollments >>