Skip to main content

Set up MFA and require it for your account

Enroll in multi-factor authentication, save backup codes, and require MFA for everyone on your account with a grace period.

This page covers two related tasks. The first is enrolling your own sign-in in multi-factor authentication (MFA). The second is requiring MFA for everyone on your account, which is an owner-and-admin control. They live on two different pages, so each section says exactly where the controls are.

When to use this

Enroll in MFA yourself when you want a second verification step beyond your password. You scan a QR code with an authenticator app and confirm a 6-digit code.

Require MFA account-wide when you want every staff member to enroll. You set the policy once, choose how many days people have to comply, and watch enrollment progress from a roster.

MFA enforcement applies only to staff (people with an account role: owner, admin, or member). Portal users who only authorize connections are never enrolled. For who counts as staff, see roles and permissions.

Enroll your own sign-in in MFA

Personal MFA lives at Account settings, Security (/account/security). The page heading is "Security" with the subtitle "Multi-factor authentication and recovery codes for your sign-in."

You need an authenticator app on your phone. Any standard TOTP app works: Google Authenticator, 1Password, Authy, and similar.

  1. Open the MFA card and start setup

    On the Security page, find the "Multi-factor authentication" card. When MFA is off, it shows a "Set up MFA" button. Click it to open the setup dialog.

  2. Scan the QR code with your authenticator app

    The dialog prompts you to "Scan the QR code with your authenticator app, then enter the 6-digit code it generates." A manual-entry key appears next to the QR code if your app cannot scan. The entry is issued under the name "TaskJuice".

  3. Enter the 6-digit code and enable

    Type the current 6-digit code from your authenticator app and click "Verify and enable". Codes rotate every 30 seconds, so enter the one showing now. There is about 30 seconds of clock-drift tolerance, so a code that just rolled over still works.

  4. Save your backup codes

    A "Save your backup codes" dialog appears with your recovery codes. The copy reads: "Store these somewhere safe. Each code can be used once when you do not have access to your authenticator app." You get exactly 10 codes, each 8 characters of lowercase letters and digits. Copy them into a password manager or another safe place before closing the dialog.

After enabling, the card shows two new buttons: "Regenerate backup codes" and "Disable MFA". Both require a current authenticator code to confirm.

Use a backup code when you cannot reach your authenticator

At sign-in, the verification screen asks for the 6-digit code from your authenticator app. If you do not have your phone, choose "Use a backup code" and enter one of your 8-character codes. Each backup code works once, then it is spent.

Regenerate or disable MFA

Regenerate backup codes when you are running low or think a code list has leaked. Click "Regenerate backup codes" and enter a current authenticator code. The dialog warns: "Your existing backup codes will stop working immediately." Every old code is replaced the moment you regenerate, so update wherever you stored them.

Disabling MFA also requires a current authenticator code. Note that turning off your personal MFA does not exempt you from an account-wide requirement. The disable dialog reminds you that your agency policy may still require it, in which case you will be prompted to enroll again.

Backup codes are shown once

You will not be able to see your backup codes again after closing the dialog. If you lose them and lose your authenticator at the same time, an account admin must reset your MFA so you can re-enroll.

Require MFA for everyone on your account

Account-wide enforcement lives at Account settings, Security under the agency-settings root (/settings/security). The subtitle reads "Agency-wide security policy. Applies to everyone with an account role."

Only an account owner or account admin can open this page. Account members get a 404. (Platform super-admins can also view it.)

  1. Turn on the requirement

    Open /settings/security and find the "MFA Enforcement" card. Switch on "Require MFA for all staff". The helper text reads: "Requires every staff member on this agency to complete MFA setup before continuing." The switch defaults to off.

  2. Set the grace period

    Once the requirement is on, a "Grace period (days)" field appears, described as "Days staff have to enable MFA after this policy is set. Maximum 30." The default is 7 days. The allowed range is 0 to 30, where 0 means immediate: staff must enroll before they can continue using the account. The grace-period field only shows while the requirement is on.

  3. Save and let the deadline run

    Save the policy. The grace deadline counts from the moment you turn the requirement on. Staff who have not yet enrolled see a banner titled "MFA Required" across the account app, reading "Your agency requires MFA for all staff. You have N day(s) to set it up." with a "Set it up now" button that opens enrollment. When the grace period reaches zero, the banner changes to "Set it up now to continue accessing your account." and they cannot continue until they enroll.

Track who has enrolled

The same page has a "Staff MFA Status" card: a table with columns Email, Role, MFA, and Actions. It lists everyone with an account role so you can see at a glance who is still missing MFA.

If a staff member is locked out (lost both their authenticator and their backup codes), use "Reset MFA" in the Actions column. The confirmation explains: "This staff member will need to re-enroll in MFA on next sign-in. They will be notified by email." Resetting forces a fresh enrollment; it does not disable the requirement for that person.

Verify it worked

For your own enrollment, sign out and sign back in. After your password, you should be asked for a 6-digit code from your authenticator app. Entering it lets you through. The "Use a backup code" toggle on that screen confirms your backup codes are active.

For account-wide enforcement, check the "Staff MFA Status" table after the policy is on. A staff member who has not enrolled shows a not-enabled state in the MFA column, and that person sees the "MFA Required" banner the next time they load the account app.

Troubleshooting

"Verify and enable" rejects your code. Authenticator codes are time-based and expire every 30 seconds. Make sure your phone's clock is set to automatic time, then enter the code currently displayed rather than one that has already rolled over.

Regenerating backup codes says MFA is not enabled. You can only regenerate codes after MFA is enrolled. If you see "MFA is not enabled on your account," enroll first, then regenerate.

Trying to enroll again says MFA is already enabled. If you get "MFA is already enabled. Disable it first to re-enroll," your account already has an active authenticator. Disable MFA (you will need a current code) and run setup again, or use "Regenerate backup codes" if you only need new recovery codes.

The "Grace period (days)" field is missing. It only appears when "Require MFA for all staff" is on. Turn the requirement on first.

The Staff MFA Status table looks incomplete. The roster shows the first 500 staff members. If you have more than that, a banner reads "Showing the first 500 staff members." and you should contact support to see the full list.

Disabling personal MFA does not bypass the policy

If your account requires MFA, disabling your personal MFA only triggers a fresh enrollment prompt. You cannot opt out of an account-wide requirement by turning off your own second factor.

Was this helpful?
Account settings fieldsSign in to your account