Skip to main content

Security & MFA Enforcement

Arcus lets every team member enroll multi-factor authentication (MFA) on their own account, and it lets a platform owner require MFA for everyone on an entity. Org-level enforcement is the control auditors look for under SOC 2 CC6.1 / CC6.6 and the one most vendor-security questionnaires ask about. This is a per-entity policy. In a multi-entity organization you can require MFA on the entity that needs it (for example your accounting entity) while leaving a sandbox or dev entity relaxed.

What you can configure

Open Settings → System → Security. You will find three controls:
SettingDefaultWhat it does
Require MFA for all membersOffWhen on, every member must enroll a factor or they are blocked from signing in.
Grace period for new members (days)7How long a member has from their invite to enroll before login is blocked. 0 requires enrollment on first login.
Allowed factorsAll threeWhich factor types satisfy the requirement: Security Key / Passkey (WebAuthn), Authenticator App (TOTP), Email Code.
SMS is intentionally not offered as a factor. SMS-based MFA is vulnerable to SIM-swap attacks; Arcus follows the industry direction of phasing it out in favor of passkeys, security keys, and authenticator apps.

How enforcement works

When the policy is on and a member has not yet enrolled a factor:
  1. During the grace window the member sees a countdown banner across the top of the app (“You have N days left to enroll a factor before you are locked out”) with a one-click link to set up MFA on their Profile → Security page.
  2. When the grace window expires the member is required to enroll before they can reach the rest of the app. They are routed to the MFA setup flow and cannot bypass it.
The grace window is measured from each member’s invite date, so existing members and brand-new invites are treated consistently.
This is an application-layer enforcement gate that works alongside the sign-in challenge itself. The Arcus policy decides whether an already-authenticated member must complete factor enrollment before using the app.

Avoiding lock-out

Arcus includes guardrails so you do not lock yourself or your team out:
  • You must enroll first. If you try to turn the policy on while your own account has no MFA factor, the save is blocked with a prompt to enroll on your Profile → Security page first.
  • A confirmation step tells you exactly how many members currently have no MFA and how long they have to enroll before they are affected.
  • You can turn it off again at any time. Every change is recorded in your activity log.

Auditing coverage

Open the MFA Coverage report from the Security settings page (“View full report”) to see, for every active member:
  • whether they have any MFA factor enrolled,
  • which factors (WebAuthn count, TOTP, Email),
  • the last factor used and when.
You can export the matrix to CSV for your security questionnaire or SOC 2 evidence package.
For most teams:
  1. Ask your team to enroll a passkey or security key (the strongest, phishing-resistant factor), with an authenticator app as a backup.
  2. Set the grace period to 7 days so new hires have time to enroll.
  3. Keep all three factors allowed unless your security policy specifically forbids email codes.
  4. Turn Require MFA for all members on, then watch the MFA Coverage report until everyone is enrolled.
See also: Configuring Your Entity for the rest of your entity setup.