Zenovay
Enterprise Plan10 minutesintermediate

Enforcing MFA Organization-Wide

Require multi-factor authentication for all team members - configure MFA policies and manage compliance.

mfasecurity2faenforcemententerprise
Last updated: January 15, 2025
Enterprise Plan

Require all team members to use multi-factor authentication. Enforce security standards across your organization.

Why Enforce MFA?

Security Benefits

BenefitImpact
Prevent account takeover99.9% reduction
Compliance requirementSOC 2, HIPAA, PCI
Reduce breach riskMajor security layer
Protect sensitive dataAnalytics access secured

Compliance Requirements

MFA often required for:

  • SOC 2 Type II
  • HIPAA
  • PCI DSS
  • GDPR (recommended)
  • Cyber insurance

MFA Methods Available

Supported Methods

MethodSecurity LevelConvenience
TOTP AuthenticatorHighMedium
SMS CodesMediumHigh
WebAuthn/Security KeysVery HighHigh
Push NotificationsHighVery High
  1. WebAuthn (highest security)
  2. TOTP App (good balance)
  3. Push Notification (good convenience)
  4. SMS (last resort)

Enabling MFA Enforcement

Step 1: Access Settings

  1. Go to Settings → Security
  2. Click "MFA Policy"
  3. Configure enforcement

Step 2: Configure Policy

┌─────────────────────────────────────────────────────┐
│ MFA Enforcement Policy                              │
│ ─────────────────────────────────────────────────── │
│                                                     │
│ Enforcement Level:                                  │
│ ○ Optional (users choose)                          │
│ ○ Encouraged (prompts but not required)            │
│ ● Required (all users must enable)                 │
│                                                     │
│ Allowed Methods:                                    │
│ ☑ TOTP Authenticator (Google, Authy, etc.)        │
│ ☑ WebAuthn / Security Keys                         │
│                                                     │
│ Grace Period: [14] days                            │
│ (Time for existing users to enable MFA)            │
│                                                     │
│ Applies To:                                         │
│ ● All team members                                 │
│ ○ Specific roles only                              │
│ ○ Users matching conditions                        │
│                                                     │
│ [Save Policy]                                      │
└─────────────────────────────────────────────────────┘

Step 3: Set Grace Period

Give users time to comply:

  • New policy: 14-30 days recommended
  • Urgent security: 1-7 days
  • New users: Immediate (no grace)

Step 4: Communicate to Team

Before enforcement:

  1. Send announcement email
  2. Provide setup guides
  3. Offer help sessions
  4. Monitor compliance

Enforcement Levels

Optional

MFA is available but not required:

  • Users can enable if desired
  • Good for initial rollout
  • Low friction

Encouraged

System prompts but doesn't require:

  • Shown setup prompts
  • Can skip for now
  • Periodic reminders

Required

All users must have MFA:

  • Cannot access without MFA
  • Grace period for setup
  • Locked out after grace

Enforcement Scope

All Team Members

Everyone must comply:

  • Admins
  • Editors
  • Viewers
  • Including owner

Role-Based

Enforce for specific roles:

Enforce MFA for:
☑ Owner
☑ Admin
☐ Editor
☐ Viewer

Conditional

Based on conditions:

Require MFA when:
☑ User has Admin role
☑ User accesses billing
☑ User accesses sensitive data
☐ Always

Grace Period

How Grace Period Works

Day 0: Policy enabled
├── Users notified via email
├── Dashboard shows setup prompt
└── All features accessible

Day 1-13: Grace period
├── Daily reminders
├── Setup prompts
└── Features still accessible

Day 14: Enforcement begins
├── Users without MFA locked out
├── Must set up MFA to continue
└── Access blocked until compliant

Grace Period Notifications

Users receive:

  • Email on Day 0 (policy announcement)
  • Email on Day 7 (reminder)
  • Email on Day 12 (urgent)
  • Email on Day 14 (enforcement active)

Monitoring Compliance

Compliance Dashboard

View MFA status:

MFA Compliance Status

Compliant: 45/50 (90%)
├── TOTP: 38 users
├── WebAuthn: 5 users
└── SMS: 2 users

Non-Compliant: 5/50 (10%)
├── Grace period: 3 users
└── Locked out: 2 users

Policy: Required
Grace Period: 4 days remaining

Non-Compliant Users

View users without MFA:

UserJoinedGrace RemainingStatus
john@company.comJan 14 daysGrace
sarah@company.comJan 104 daysGrace
mike@company.comDec 1ExpiredLocked

Compliance Reports

Generate reports:

  • Current compliance rate
  • Compliance over time
  • Method distribution
  • Non-compliant users

Managing Non-Compliance

During Grace Period

For users who haven't set up MFA:

  1. Send direct reminder
  2. Offer assistance
  3. Explain importance
  4. Extend grace if needed

After Grace Period

For locked out users:

  1. Contact user directly
  2. Provide setup assistance
  3. Grant temporary extension
  4. Complete setup together

Granting Extensions

Admin can extend grace:

  1. Go to Team → Members
  2. Find user
  3. Click "Extend MFA Grace"
  4. Set new deadline

Method Restrictions

Requiring Hardware Keys

For maximum security:

Allowed Methods:
☑ WebAuthn / Security Keys
☐ TOTP Authenticator

Multiple Methods Required

Enterprise Plan

Require backup method:

☑ Require at least 2 MFA methods
   Users must set up backup

SSO and MFA

With SSO Enabled

MFA can be:

  • Handled by IdP: MFA at SSO provider
  • Required by Zenovay: Additional MFA layer
  • Combined: IdP MFA + Zenovay MFA

IdP MFA Trust

If your IdP handles MFA:

☑ Trust IdP MFA claims
   Users with IdP MFA don't need Zenovay MFA

Emergency Access

Break-Glass Accounts

For emergencies:

  • Designated admin accounts
  • Exempt from enforcement
  • Hardware key required
  • Heavily audited

Lost MFA Device

If user loses access:

  1. Use backup codes
  2. Contact admin for reset
  3. Re-enroll new device
  4. Generate new backup codes

Admin MFA Reset

Admins can reset user MFA:

  1. Go to Team → Members
  2. Find user
  3. Click "Reset MFA"
  4. User must re-enroll

Audit Trail

MFA Events Logged

EventDetails
MFA enrolledUser, method, time
MFA removedUser, method, admin
MFA failedUser, method, reason
MFA bypassedUser, reason, admin
Policy changedChanges, admin

Compliance Reports

Track for audits:

  • Historical compliance rates
  • Method changes
  • Policy modifications
  • Bypass events

Best Practices

Rollout Strategy

  1. Announce policy change
  2. Enable as optional first
  3. Encourage with reminders
  4. Require with grace period
  5. Enforce strictly

Communication

  • Explain why MFA matters
  • Provide clear instructions
  • Offer support resources
  • Be available for questions

Support

  • Create setup guides
  • Host training sessions
  • Have IT support ready
  • Document procedures

Troubleshooting

User Can't Set Up MFA

Common issues:

  • Clock sync problems (TOTP)
  • Browser compatibility (WebAuthn)
  • Phone number issues (SMS)

Codes Not Working

If TOTP codes fail:

  1. Check device time sync
  2. Try adjacent codes
  3. Re-scan QR code
  4. Use backup codes

Policy Not Enforcing

If enforcement doesn't work:

  1. Check policy saved
  2. Verify grace period
  3. Check user membership
  4. Review exceptions

Next Steps

Related articles

Agency Dashboard Setup

Set up Zenovay for agencies - manage multiple clients, white-label dashboards, and aggregate reporting.

Custom Branding & White-Label

White-label Zenovay with your brand - custom domains, logos, colors, and complete brand removal.

Custom Password Policies

Configure custom password requirements for your Zenovay organization - complexity rules, expiration, and history.

Was this article helpful?