Enforce Two-Factor Authentication
As an Organization Owner, you can enforce two-factor authentication (2FA) for all organization users who authenticate with their email and password.
Important to Know
Note the following about 2FA enforcement:
- 2FA enforcement only applies to users who authenticate with their email and password.
- 2FA enforcement doesn’t apply to single sign-on (SSO). This includes SAML single sign-on (SSO) and Google authentication (OAuth 2.0).
- If your organization has SAML SSO enforced, you can’t enforce 2FA. Your SAML provider may already require 2FA.
- 2FA enforcement affects users with the following roles:
Enforce 2FA
- Navigate to Settings > Identity & Access.
- Under Enforce Two-Factor Authentication (2FA), turn on the toggle.
- In the overlay that appears, confirm your action.
Users get an email notification to enable 2FA. They must enable 2FA upon their next sign-in with their email and password.
Tip
If you have problems signing in with 2FA, see our troubleshooting tips.Disable 2FA Enforcement
- Navigate to Settings > Identity & Access.
- Under Enforce Two-Factor Authentication (2FA), turn off the toggle.
Users within your organization are no longer required to enable 2FA. This does not disable 2FA on their accounts. We recommend that they continue using 2FA to enhance their account security.
Check the 2FA Status of Users
To view the 2FA status on the user accounts within your organization, navigate to the People page. You see a yellow warning icon 
for a user when:
- The user hasn’t enabled 2FA—regardless of the 2FA enforcement; and
- Your organization doesn’t have SAML SSO configured.
We don’t enforce 2FA for Cobalt pentesters, but we display a warning icon on the Pentest Collaborators tab if they haven’t enabled 2FA.
