How to enforce Two Factor Authentication for all users on your account

How to enforce Two Factor Authentication for all users on your account


As a site owner or admin, you can require everyone with an account on your site to set up Two Factor Authentication (2FA). This protects your site from unauthorised access at the user level, not just the admin level. It is especially useful for sites with paid users, sensitive course content, or compliance requirements.

This article shows you how to enforce 2FA across your site, how to choose an account-age threshold, and what users will see at their next sign-in.

Before you start: enable 2FA on your own account first

You must enable 2FA on your own account before you can enforce it for other users. This is a safeguard so you don't lock yourself out of your own site.

If 2FA is not yet set up on your account, the Enforce Two Factor screen will show a yellow "NOT SET UP" badge with this message: "You should enable two factor authentication on your own account before enforcing it for all users. Go to Multi-Factor Authentication to set it up."

Set up 2FA on your own account first by following Two Factor Authentication, then return here.

How to enforce 2FA for all users

The following steps will show you how to enforce 2FA for all users on your account.


  1. Access your dashboard > Settings > Signup and Checkout.
  2. Open the Enforce Two Factor tab.
  3. Confirm that the two factor setup status shows ENABLED in green.
  4. Tick the checkbox "Enforce two factor authentication for all users."
  5. In the "Enforce when user's account is [X] days old" field, enter the threshold in days. See the section below on how to choose this number.
  6. Click Save.

Enforcement is now active on your site.

Choosing the account-age threshold

The "days old" setting controls which users are required to set up 2FA at their next login.

  • Set to 0 to enforce 2FA immediately for every user, regardless of when they signed up. All users will be redirected to set up 2FA at their next login.
  • Set to a higher number (for example, 30, 60, or 90 days) to enforce 2FA only for users whose accounts are at least that many days old. Newer accounts can sign in without 2FA until they cross the threshold, at which point they will be redirected to set up 2FA at their next login.

A non-zero threshold is useful if you want to roll out 2FA gradually without disrupting new signups, free trial users, or recently onboarded learners.

How it works at sign-in

Enforcement is checked at the moment a user signs in.

  1. The user signs in with email and password as usual.
  2. The system checks whether their account meets the age threshold you set.
  3. If it does, and they have not yet set up 2FA, they are redirected to the 2FA setup screen.
  4. The user can navigate away without completing the setup, but they will be redirected to it again at their next sign-in.
  5. Once they finish the setup, 2FA is active on their account and they sign in normally with email, password, and a six-digit code.

Enforcing or resetting 2FA for individual users

You can also enforce or reset 2FA on a user-by-user basis from each user's settings page, without enabling site-wide enforcement. This is useful for high-privilege admin accounts or for users who have lost access to their authenticator and need a reset.

Frequently Asked Questions

What happens if a user does not complete 2FA setup?
The user can browse away from the setup screen, but they will be redirected back to it at their next sign-in. They cannot bypass the setup once their account meets the age threshold.

Can I exempt specific users from 2FA enforcement?
Site-wide enforcement applies to all users whose accounts cross the age threshold. To grant individual exemptions, manage 2FA on a per-user basis from the user's settings page instead of using site-wide enforcement.

Will newer users be locked out?
No. The age threshold only applies once the user's account reaches the day count you set. New signups can use the site immediately without setting up 2FA, and they are prompted to set it up only after their account is old enough.

What if my user loses access to their authenticator app?
The user can click "I can't access the authenticator app" on the 2FA verification screen at sign-in, and a one-time code will be sent to their registered email address. See Two Factor Authentication for the full disable and recovery flow.


    • Related Articles

    • Two Factor Authentication

      Two Factor Authentication (2FA), also known as Two-Step Authentication, adds an extra layer of security to your account. It is available to site owners, site admins, and users. With 2FA enabled, an unauthorised person cannot log in to your account ...

    • Multi Factor Authentication

      Also known as Two Step Authentication, activating Multi-factor Authentication provides an additional layer of security to your account. This is an opt-in feature available to site owners, site admins and users as well. It helps prevent unauthorized ...

    • How to track users who have Abandoned carts?

      An abandoned cart occurs when potential customers start the checkout process for an online purchase but drop out before completing it. These users have shown initial interest by creating an account, which suggests they were considering purchasing a ...

    • Delete Your Knorish Account

      This article shows you how to delete your Knorish Account. Before we begin: We wish success to every one of our users. So if there is any particular concern/issue that has not been addressed yet, do let us know. We will definitely want to look into ...

    • What Happens If My Knorish Subscription or Free Trial Expires Without Renewal?

      At Knorish, we’ve worked hard to build a secure and reliable platform for your online business. To maintain quality, accessibility and security, we have a strict data deletion policy. Here’s what happens when your subscription or free trial expires: ...