How to Manage MFA for Your Team

Why This Matters

As the account owner, you control whether MFA is required for your team and can reset a team member's MFA if they get locked out. This guide walks you through setting the account-wide policy and handling resets when someone loses access to their authenticator app.

Before You Begin

  • You must be the account owner to manage MFA settings and reset team member MFA
  • Team members cannot reset their own MFA if they are locked out — that reset has to come from you

Step-by-Step Instructions

Step 1: Set Your Account-Wide MFA Policy

Click your profile icon in the top right corner and select Account Settings. Under the Two-Factor Authentication (MFA) section, use the MFA Mode dropdown to choose your policy:

  • OFF — MFA is not used. Everyone signs in with just a password. This is the default.
  • OPTIONAL — Team members may enroll if they choose. Those who don't will continue signing in with just a password.
  • ON — MFA is required. Every team member must enroll the next time they sign in.

Click Save when done.

💡 If you set the policy to ON, give your team a heads up before you do it. Each team member will be walked through a two-minute setup the next time they sign in. Anyone who can't complete setup right then won't be able to access the account until they do.

Step 2: Check a Team Member's Enrollment Status

Click your profile icon in the top right corner and select My Team. Click Manage Team Settings, then click a team member's name. Scroll down to the Two-Factor Authentication (MFA) section. The status line shows whether they are enrolled and when they enrolled.

Step 3: Reset a Team Member's MFA

If a team member loses their phone or is otherwise locked out, go to their team member page following the same path as Step 2. In the Two-Factor Authentication (MFA) section, click Reset This Member's MFA. They will be prompted to re-enroll the next time they sign in.

Questions and Answers

Q: Can a team member reset their own MFA if they are locked out?

A: No. If a team member is locked out and has no backup codes, they need you to reset their MFA from the team member edit page. Once you reset it, they can re-enroll on their next sign-in.


Q: What happens to a team member's account after I reset their MFA?

A: Their previous authenticator app connection and backup codes are cleared. If your policy is set to ON they will be prompted to re-enroll the next time they sign in. If the policy is OPTIONAL they will simply sign in with just a password.


Q: Can I reset my own MFA from this page?

A: No. To manage your own MFA go to My Account > MFA Settings. The reset button on the team member page only applies to team members, not the account owner.


Q: What if a team member turns ON and gets locked out immediately?

A: If a team member can't complete MFA enrollment right away, temporarily change the policy back to OPTIONAL from Account Settings > Two-Factor Authentication (MFA). This lets them sign in while they get set up. Change it back to ON once they're ready.


Q: Do I need to notify my team before turning MFA on?

A: There is no automatic notification sent to team members. It's a good idea to let your team know in advance so they have an authenticator app ready when they next sign in.

Guide Type: How-To Guide

Estimated Time: 5 minutes