About: Multi-Factor Authentication (MFA)

Why This Matters

Your password protects your account — but a stolen password alone can give an attacker full access. Multi-factor authentication (MFA) adds a second requirement at sign-in: a 6-digit code from an authenticator app on your phone. Without that code, a stolen password is useless.

What MFA Is

When MFA is turned on, signing in requires two things:

  • Something you know — your password
  • Something you have — a 6-digit code from an authenticator app on your phone

The code changes every 30 seconds. Without both, access is denied.

What Is an Authenticator App?

An authenticator app is a free app you install on your phone that generates a new 6-digit code every 30 seconds. Think of it like a combination lock that changes its own combination constantly — only you and the system know what the current combination is.

Here's what makes it work:

  • It's tied to your account. When you set up MFA, you scan a QR code that links your authenticator app specifically to your account. No one else's app can generate codes for your account.
  • It doesn't need cell service or internet. Once set up, the app generates codes on its own using a time-based formula. It works in airplane mode, in a basement, anywhere.
  • It lives separately from your email and password. That separation is the whole point. Even if someone steals your password, they'd also need your physical phone to get in.
  • The codes expire fast. Each code is only valid for 30 seconds. A code someone managed to see over your shoulder is useless moments later.

Popular authenticator apps include Google Authenticator, Microsoft Authenticator, Authy, 1Password, and Bitwarden. All of them work the same way. If you don't have a smartphone, most desktop password managers like 1Password and Bitwarden can also generate authenticator codes on your computer.

Who MFA Applies To

MFA works independently for each type of user on your account:

  • Account Owners — the person who created and manages the account
  • Team Members — anyone the owner has added to the account

Each person's MFA enrollment is completely separate. An owner enrolling does not enroll their team members, and a team member enrolling does not affect anyone else.

The Three Policy Settings

The Account Owner controls MFA for the entire account from My Account > MFA Settings. There are three options:

  • OFF — MFA is not used. Everyone signs in with just a password. This is the default.
  • OPTIONAL — Team members may enroll in MFA if they choose. Those who enroll will be prompted for a code at sign-in. Those who don't will continue signing in with just a password.
  • ON — MFA is required. Every team member must set up an authenticator app the next time they sign in.

💡 The enrollment option is only available once the policy is set to OPTIONAL or ON. Team members will not see the option to enroll while the policy is OFF.

Is MFA Right for You?

MFA adds real security, but it also adds a step to every sign-in. Whether that trade-off makes sense depends on how you use your account.

MFA is worth enabling if:

  • You have team members signing in from multiple locations
  • You store sensitive client information such as financial, medical, or personal data
  • You want to protect your account even if your password is ever compromised

You may not need MFA if:

  • You are a solo user working from your own trusted devices at home or in a private office
  • You don't store sensitive client data
  • A seamless, low-friction sign-in experience is a priority for your workflow

There's no wrong answer. MFA is available to everyone, and the policy settings give you full control to turn it on, make it optional, or leave it off entirely.

Backup Codes

When you enroll in MFA, the system generates 10 single-use backup codes. Use these when you don't have access to your phone. Each code works exactly once. They are shown to you one time at enrollment and are not stored anywhere you can retrieve them later, so save them somewhere safe.

You can generate a fresh set anytime from My Account > MFA Settings using the Regenerate backup codes button. Generating new codes immediately cancels any unused codes from the previous set.

Trusted Devices

At sign-in, you can check Remember this device to skip the MFA code prompt for 30 days on that browser. After 30 days you'll be prompted again. Clearing your browser cookies, switching browsers, or using a private/incognito window will also trigger a new prompt regardless of the trust window.

You can review and revoke trusted devices anytime from My Account > MFA Settings.

The MFA Audit Log

Account owners can view a full log of MFA activity from My Account > MFA Settings > View MFA audit log. The log records every enrollment, sign-in challenge, backup code use, device change, and admin reset for everyone on the account.

Questions and Answers

Q: Do I have to use MFA?

A: Only if your account owner has set the policy to ON. If the policy is OPTIONAL, you can enroll if you want but aren't required to. If the policy is OFF, nothing changes for you.


Q: Which authenticator app should I use?

A: Any standard app works — Google Authenticator, Microsoft Authenticator, Authy, 1Password, and Bitwarden are all compatible. If you don't have a smartphone, most desktop password managers like 1Password and Bitwarden can generate MFA codes on your computer just as well.


Q: Do I need cell service or internet for my authenticator app to work?

A: No. Once set up, the app generates codes on its own and works without any internet or cell connection.


Q: What if I lose my phone?

A: If you saved your backup codes, use one of those to sign in. If you don't have backup codes, contact your account owner to reset your MFA. If you are the account owner, contact support.


Q: Does the Remember this device option last forever?

A: No. Trusted device status expires after 30 days, at which point you'll be prompted for a code again. Clearing your browser cookies or switching browsers will also end the trust early.


Q: Can I turn MFA off for myself if my account requires it?

A: No. If the account-wide policy is set to ON, individual users cannot opt out. The account owner would need to change the policy to OPTIONAL or OFF.

Guide Type: Reference Guide

Estimated Time: 5 minutes