# Admin Guide: MFA (Multi-Factor Authentication)

This guide explains enforcing MFA and managing user MFA setup.

## Enabling MFA

– Toggle MFA enforcement in Global Settings or `config.json` (deployment-dependent).

– Choose whether to require MFA for all users or specific roles.

## User setup flow

1. User visits account settings and selects **Two-Factor Authentication**.

2. They scan a QR code with an authenticator app (Google Authenticator) or enter a manual secret.

3. They confirm by entering a 6-digit code).

## Recovery

– Provide account recovery options (admin reset, secondary verification) and document the process with your admin team.

## Troubleshooting

– If users lose access to their authenticator app, admins can disable MFA for the account and require a reset.

—

I can add exact config keys and API endpoints if you’d like administrator-level steps.