Skip to content
Onplana Docs

Enforce two-factor authentication

All plans Owner or Admin to enforce

Two-factor authentication (2FA) protects accounts with a time-based code from an authenticator app on top of the password. Anyone can enable it for themselves, and Owners and Admins can make it mandatory for the whole organization.

Set up 2FA for yourself

Section titled “Set up 2FA for yourself”

  1. Open Settings and go to the Security tab.

  2. In the Two-Factor Authentication section, start the setup and scan the QR code with your authenticator app (Google Authenticator, Authy, 1Password, or any TOTP app).

  3. Enter the six-digit code from the app to confirm.

  4. Save your backup codes somewhere safe. They are shown once, and each is a single-use replacement for a code if you lose your authenticator.

From then on, sign-in asks for a code from your app after your password.

Enforce 2FA for the whole organization

Section titled “Enforce 2FA for the whole organization”

  1. Open Organization Settings and go to the Security & Compliance tab (Owner and Admin only).

  2. On the Controls sub-tab, find Enforce 2FA for All Members and switch it on. If some members have not enabled 2FA yet, Onplana warns you and lists them before you confirm.

What happens to members without 2FA

Section titled “What happens to members without 2FA”

Enforcement takes effect immediately. Members who have not enabled 2FA are blocked from the organization’s content: they can still sign in and reach their personal Settings → Security page to enroll, but every attempt to open organization data shows a clear message that 2FA is required. The Controls panel lists who is currently blocked, and the Access Review sub-tab shows per-member 2FA status at any time.

Organizations using SSO

Section titled “Organizations using SSO”

If your team signs in through single sign-on and your identity provider already performs MFA, those sessions satisfy the requirement by default. The Trust IdP MFA for SSO sessions option below the enforcement toggle controls this; switch it off if you want everyone to enroll an Onplana authenticator code regardless. See Configure single sign-on.

FAQs

Section titled “FAQs”

A member lost their authenticator. Now what? Backup codes are the first resort. If those are gone too, an Owner or Admin can reset the member’s 2FA from the Access Review sub-tab so they can re-enroll. If the person belongs to several Onplana organizations, the reset must go through support instead.

Does enforcement block API tokens and agents? No. Requests authenticated with personal access tokens are not subject to the 2FA gate; tokens have their own scopes, expiry, and revocation. See Create API tokens.

Can I see who has 2FA before enforcing? Yes. The Access Review sub-tab lists every member with their 2FA status, so you can chase stragglers before turning enforcement on.