Skip to main content

Multi-Factor Authentication (MFA / 2FA)

Add an extra layer of security to your organisation's CRM

Written by Penelope Hill
Updated today

This feature is in Beta, and may not be available on all accounts.

Multi-Factor Authentication (MFA)

Add an extra layer of protection to your account - so even if your password is ever compromised, your account stays safe.

What is Multi-Factor Authentication?

Multi-Factor Authentication (MFA) means that when you sign in, you're asked for two things: your password, and a short code generated by an app on your phone. Even if someone gets hold of your password, they still can't access your account without that code.

It takes just a couple of minutes to set up, and you'll only need to do it once. After that, signing in with MFA is quick and straightforward.

πŸ’‘ Tip: You'll need a free authenticator app on your phone β€” such as Google Authenticator or Authy. Both are available on the App Store and Google Play. Download one before you begin.

Setting Up MFA

You can set up MFA in two ways: from the prompt that appears after you sign in, or at any time from your Security settings.

Option A: From the sign-in prompt

After signing in, you may see a screen that says Secure your account. This is your invitation to enable MFA.

Click Set up MFA to begin. If you're not ready yet, click Skip for now. You can tick Don't ask me for 30 days if you'd like to postpone the reminder.

Option B: From Security settings

You can also set up MFA at any time by going to Tools & Settings β†’ Security. Under Your Multi-Factor Authentication, click the Set up MFA button.

Completing the Setup

Once you click Set up MFA, you'll see the setup screen. Here's what to do:

  1. Open your authenticator app on your phone.

  2. Tap the option to add a new account (usually a + button).

  3. Choose Scan a QR code and point your phone's camera at the QR code on screen.

  4. Your app will generate a 6-digit code. Type it into the Verification code boxes and confirm.

πŸ“ Can't scan the QR code? If your camera doesn't work well with QR codes, look for the Can't scan? option on screen. This gives you a text key you can type directly into your authenticator app instead.

πŸ’‘ Tip: Once set up, your authenticator app will show a new 6-digit code every 30 seconds. You'll use this each time you sign in.

Signing In With MFA Enabled

After MFA is set up, signing in works like this:

  1. Enter your email address and password as normal.

  2. You'll then be asked for your 6-digit verification code.

  3. Open your authenticator app, find the GoodCRM entry, and type in the code shown.

  4. You're in!

πŸ’‘ Tip: The code refreshes every 30 seconds. If it looks like it's about to change, wait for the new one β€” it'll be easier to type without rushing.

Managing Your MFA

You can view and manage your MFA at any time by going to Tools & Settings β†’ Security. The Your Multi-Factor Authentication section shows whether MFA is currently active on your account, and lets you set it up or remove it.

⚠️ Removing MFA: If you remove MFA from your account and your organisation requires it, you'll be asked to set it up again the next time you sign in.

πŸ”’ For Admins: Organisation MFA Settings

If you have admin rights, the Security settings page also lets you control MFA across your whole organisation. You'll find these options beneath your personal MFA section.

Requiring MFA for user groups

Under Organisation MFA Policy, you can switch on MFA for different types of users. When a group has MFA required, everyone in that group will need to set up an authenticator app before they can sign in.

  • Require MFA for Admin & Standard Users

  • Require MFA for Tutor Users

  • Require MFA for Member Portal Users

πŸ“ Note: MFA enforcement does not apply to users who sign in via SSO (Single Sign-On). It is also not currently available for Ticketing Portal users.

Controlling the setup prompt

Under Nudge Behaviour, you can control whether users are prompted to set up MFA after signing in when MFA isn't required. By default, users will see the Secure your account prompt. If you'd prefer they're not shown this automatically, toggle on Suppress MFA setup prompts for users.

Users can still choose to set up MFA voluntarily at any time from their own Security settings page.

Remember to click Save after making any changes to the organisation policy or nudge settings.

Did this answer your question?