# How to require MFA for a user?

Multi-factor authentication (MFA) adds a second layer of security on top of a user's password. By default, every Stoïk Protect user can enable MFA on their own account from `Settings > User settings > Two-factor authentication`.

For compliance reasons (ISO 27001, NIS2, cyber-insurance requirements, internal security policies) administrators can now go one step further and **enforce MFA on specific users**: an enforced user is required to enable MFA at their next sign-in and cannot opt out.

#### Who can enforce MFA?

Only users with the `Manage user rights` permission (i.e. administrators) can require MFA for another user. The `Require MFA` toggle is disabled for users without that permission.

#### How to require MFA for a user

<figure><img src="/files/Qe988fcsTn056GwF1qQy" alt=""><figcaption></figcaption></figure>

1. Go to `Settings > Users` in Stoïk Protect.
2. Click on the user you want to enforce MFA on. Their side panel opens.
3. In the `Admin` section of the permissions form, tick **Require MFA**.
4. The change is saved with the rest of the permissions form.

{% hint style="info" %}
The same flow lets you turn enforcement off later by unticking the box. Disabling enforcement does not remove MFA from the user. They keep MFA enabled, and can disable it themselves from their settings if they wish.
{% endhint %}

#### What the enforced user sees

The next time the user signs in, before they reach the dashboard, Stoïk Protect checks whether they already have MFA enabled. If they do, nothing changes. If they don't, they are routed to a mandatory MFA setup screen. The flow is:

1. **Set up two-factor authentication**: A screen explaining that MFA is required by their workspace admin, with a single available method (Text message / SMS). There is no `Skip` button.
2. **Enter your phone number**: The user types the phone number that will receive verification codes.
3. **Enter the code we sent you**: The user types the 6-digit code received by SMS to confirm ownership of the phone number.
4. **Two-factor authentication is on**: Confirmation screen, then redirect to the page the user was originally trying to reach.

Until MFA is set up, the user cannot navigate anywhere else inside Stoïk Protect. They can sign out from the header if needed.

#### What changes for an enforced user once MFA is on?

* They sign in with their password and a 6-digit code sent by SMS, every time.
* They cannot disable MFA from their own user settings: the `Disable MFA` button is greyed out with a tooltip explaining that MFA is required by their administrator.

#### Edge cases

| Situation                                                     | Behaviour                                                                                 |
| ------------------------------------------------------------- | ----------------------------------------------------------------------------------------- |
| The user already has MFA enabled when the toggle is turned on | Nothing happens at next login. They simply cannot disable MFA themselves anymore.         |
| An admin turns the toggle on for their own account            | Allowed. Enforcement triggers at their next login.                                        |
| The user is currently signed in when the toggle is turned on  | They are not signed out. Enforcement triggers at their next login.                        |
| A new user is invited with the toggle already on              | Right after they create their password, they land on the forced MFA setup screen.         |
| The user can no longer access their phone number              | Ask their admin to temporarily turn the toggle off so they can update their MFA settings. |

#### Frequently asked questions

**Can a user opt out of the forced MFA setup?** No. The setup screen has no `Skip` button and blocks navigation to the rest of Stoïk Protect until MFA is set up.

**Which MFA method is supported?** Text message (SMS) is available today. Authenticator apps are coming soon.

**Will the user be notified when I turn the toggle on?** Not via email today. They will see the forced MFA setup screen the next time they sign in.

**Does turning the toggle off remove their MFA?** No. Their MFA stays enabled. Turning the toggle off only re-enables their ability to disable MFA themselves.


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.stoik.io/onboarding/how-to-require-mfa-for-a-user.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.