Enforce Two-Factor Authentication (2FA)

How to require all account members to use two-factor authentication and significantly increase the security of your account.

Two-factor authentication is one of the most effective ways to protect accounts from unauthorized access. By default, 2FA is optional at seven, meaning each user decides whether to enable it for their own account. As the owner or an administrator, however, you can make 2FA mandatory for all members of your account, making sure that no one can access your account with a password alone.

Why enforce 2FA?

A stolen or guessed password alone is not enough to break into a 2FA-protected account. Even if credentials are leaked through phishing, third-party data breaches or weak password reuse, the account stays protected as long as the attacker does not also control the user's second device.

Typical scenarios where enforced 2FA is particularly useful:

  • Teams with multiple members, where it is impractical to track individually who has enabled 2FA
  • Accounts with sensitive data, such as extensive contact lists, journal entries or API access
  • Companies with compliance requirements, where multi-factor authentication is mandated by internal policies, ISO 27001, GDPR-related safeguards or similar standards
  • Accounts with administrators and developers who have access to API keys or billing-related functions
  • After a security incident, to make sure that restored access is reliably protected

In short: treating 2FA as a mere recommendation means relying on each individual user to actually set it up. Enforcement removes that uncertainty from the equation.

Where to find this setting

In your account, go to Settings โ†’ Security and scroll to the section "Enforce Two-Factor Authentication".

Activate the 2FA requirement

Toggle the switch "Enable this option to enforce 2FA for all account members". You can then choose a grace period under "Enforce 2FA after:" that determines when the requirement takes effect:

  • Immediately
  • 1 day
  • 2 days
  • 3 days
  • 7 days
  • 14 days

The grace period gives all members time to properly set up 2FA, install an authenticator app and safely store their backup codes. Once the period expires, logging in without 2FA enabled will no longer be possible.

Which grace period makes sense?

  • Immediately is a good choice if all members already use 2FA and you simply want to formalize the requirement, or as an immediate response to a security incident.
  • 1 to 3 days is a sensible compromise for smaller teams that want to switch to 2FA quickly.
  • 7 or 14 days is well suited for larger teams where less active members or vacation absences need to be taken into account.

Regardless of the chosen period, we recommend informing your team briefly before activation so that no one is surprised by the requirement.

What happens once the grace period ends?

Once the chosen grace period has passed, the requirement takes full effect:

  • Members with 2FA enabled log in as usual.
  • Members without 2FA enabled can still sign in with their username and password, but will immediately be prompted to set up 2FA before they can continue using the account. A regular login without configured 2FA is no longer possible.

Member notification

All members who do not yet have 2FA enabled at the time of activation will automatically receive an email notification, prompting them to enable 2FA before the grace period ends. This way, administrators do not need to communicate the change manually.

A step-by-step setup guide is available in the article Two-Factor Authentication (2FA).

Disabling the requirement

You can turn the 2FA requirement off again at any time by toggling the switch back on the same page. Existing 2FA configurations of individual members remain unaffected and would need to be disabled individually in the respective profile if desired.

Did this answer your question?