Skip to main content
Zenovay
Enterprise Plan8 minutesIntermediate

MFA Across Your Team

Understand how multi-factor authentication works for Zenovay teams: per-user enrollment, monitoring team MFA status, and how MFA fits with SSO.

mfasecurity2faenterprise
Last updated:
Enterprise Plan

Multi-factor authentication (MFA) adds a second step to sign-in, so a stolen password isn't enough to access an account. This guide explains how MFA works for Zenovay teams, how to keep track of who has it enabled, and how it fits with SSO.

Info

Zenovay MFA is enrolled per user — each person sets it up on their own account. There isn't a single switch that forces MFA on for everyone at once. If you need MFA mandated for your whole organization, the most reliable place to enforce it is at your identity provider (see MFA with SSO below).

Why MFA matters

  • Stops account takeover — a leaked or phished password alone won't get an attacker in.
  • Supports your compliance program — many frameworks (SOC 2, HIPAA, PCI DSS) and cyber-insurance policies expect MFA on accounts that can reach sensitive data.
  • Protects your analytics — your traffic, revenue, and audience data stays behind a second factor.

How Zenovay MFA works

Each team member enables MFA on their own account. Zenovay supports:

MethodWhat it is
Authenticator app (TOTP)A 6-digit rotating code from an app like Google Authenticator, Authy, or 1Password.
Backup codesOne-time recovery codes to use if the authenticator device is lost.

Passkeys (WebAuthn / hardware security keys, Touch ID, Face ID, Windows Hello) are also available — but as a passwordless sign-in option, not as an enforced second factor. See WebAuthn Security Keys for details.

To enable MFA on your own account, go to Profile → Security and follow Setting up MFA.

Checking who has MFA enabled

Team owners and admins can pull a per-member MFA report from the members export.

  1. Open team members

    Go to Settings → Team → Members.

  2. Export the members list

    Use the export button to download the list as a CSV. Each row includes the member's email, name, role, join date, and an MFA Enabled column (Yes / No).

  3. Review and keep for your records

    Open the CSV to see who still needs to enroll, and keep it as evidence for audits or compliance. New members show as "No" until they set MFA up.

Info

The export reports MFA status only. Zenovay does not provide an in-product control to force a member to enroll, set a grace period, or remotely reset another member's MFA. Use the steps below to roll MFA out across your team.

Rolling MFA out to your team

Because enrollment is per user, a successful rollout is mostly communication plus follow-up:

  1. Announce the change. Explain why MFA matters and when you expect everyone to have it enabled.
  2. Share the setup guide. Point people to Setting up MFA so the steps are clear.
  3. Track progress. Export the members list from Settings → Team → Members to see who still needs to enroll (the CSV has an MFA Enabled column).
  4. Follow up directly. Reach out to anyone who hasn't enrolled by your deadline.

For organizations that need MFA strictly required rather than encouraged, enforce it at your identity provider — see below.

MFA with SSO

If your team signs in through SSO (SAML or OAuth/OIDC, available on Scale and Enterprise plans), authentication happens at your identity provider, not at Zenovay. That means:

  • Any MFA requirement you configure in your IdP (Okta, Azure AD / Entra ID, Google Workspace, etc.) applies automatically when users sign in to Zenovay.
  • This is the most dependable way to require MFA for everyone, because your IdP can mandate it as a condition of access and Zenovay honors that sign-in.

To set up SSO, see Enterprise SSO overview, SAML configuration, and OAuth / OIDC setup.

Lost MFA device

If a team member loses access to their authenticator app:

  1. They can sign in with one of their backup codes.
  2. Once signed in, they can re-enroll a new authenticator from Profile → Security and generate fresh backup codes.

If they've lost both the authenticator and their backup codes, contact Zenovay support — recovery is handled through our verified account-recovery process.

Troubleshooting

Authenticator codes aren't accepted

TOTP codes depend on accurate time:

  1. Make sure the device running the authenticator app has the correct time (enable automatic time sync).
  2. Wait for the next code and try again — codes rotate every 30 seconds.
  3. If it still fails, use a backup code to sign in, then re-enroll the authenticator.

A member can't complete MFA setup

  • Confirm they're following the steps in Setting up MFA.
  • Have them try a different authenticator app if the QR code won't scan (the secret can also be entered manually).

Next Steps

Related articles

  1. Password Requirements & Enterprise Password Policy

    How Zenovay enforces strong passwords, and how to apply your own organization's password policy through SSO.

  2. Enterprise Audit Logging

    Use the workspace audit log to review account, team, and security activity, then export the trail to CSV for compliance and investigation.

  3. Requiring SSO for Your Team

    How SSO enforcement works in Zenovay: who is required to sign in through your identity provider, why owners and admins keep a password backup, and what happens to members with a personal email address.

Was this article helpful?