To enhance security across your practice or company, admins can now enforce Two-Factor Authentication (2FA) for all members. This additional layer of security ensures that all members must verify their identity before accessing their accounts, significantly reducing the risk of unauthorized access.
While some members may have already enabled 2FA on their accounts, this option ensures that it becomes mandatory for everyone.
This article will guide you through the steps to enforce 2FA for all members.
Enabling 2FA for practice members
Admins within a practice can enforce 2FA for all members. To enable this, follow these steps:
In the main left navigation, select “Team”.
In the list of members, you'll see the 'Require team members to use two-factor authentication’ toggle, which is set to OFF by default:
Click the toggle to turn it ON:
Once it's ON, all practice members (including all admins) will receive an email notification informing them that 2FA is now required.
Enabling 2FA for company members
Practice admins and any member with permission to manage members of a company, can enforce 2FA for all members of a specific company, including practice members assigned to that company. To enable this (turn it ON), follow these steps:
In the main left navigation of a specific company, select “Settings” > “Members”.
In the list of members, you'll see the ‘Require all members to use two-factor
authentication’ toggle, which is set to OFF by default:
Click the toggle to turn it ON:
Once it's ON, all company members (including practice members assigned to the company and all admins) will receive an email notification informing them that 2FA is now required.
To note
Practice members assigned to a company where this feature is ON will also be required to use 2FA when signing in to their practice hub.
Once this feature is ON, members who use email code as their verification method will be required to switch to password-based verification on their next login. See Logging in as a member with enforced Two-Factor Authentication.
With this feature enabled, members cannot disable 2FA or change their verification method from their personal 'Login and Security' settings.
Disabling 2FA enforcement
Admins can disable (turn OFF) 2FA enforcement for practice and company members at any time. Turning it OFF stops the requirement for mandatory 2FA but does not remove the existing configuration from members' accounts. After disabling, 2FA becomes optional.
To turn it OFF, admins must confirm the changes by entering their 6-digit authenticator code.
Logging in as a member with enforced 2FA
If 2FA was not already set up, members will need to configure it the next time they log in:
Members using email code as their verification method will be required to switch to password-based verification on their next login:
Members who already use password-based verification will not need to complete this step.
Once 2FA is configured, they will need to verify their account with the 6-digit authentication code each time they log in thereafter. Members can also enable the "Trust this device for 30 days" checkbox and skip the 2FA authentication on a trusted device for 30 days, enhancing convenience without compromising security.
To note:
Members joining a new company or practice with 2FA enforced will also need to set it up if they haven't already.
Logging in with QuickBooks, Xero, or Google.
When the 2FA enforcement feature is ON in Apron, members using QuickBooks, Xero, or Google to log in will need to set up Apron’s 2FA on their next login if they haven’t already done so.
Doing this ensures that 2FA is used to log in to Apron, even when using QuickBooks, Xero, or Google accounts. Note that any 2FA required by Xero or QuickBooks for their own systems is separate from this process.
Once the 2FA enforcement feature is ON, members using email code as their verification method will need to switch to password-based verification on their next login.