> ## Documentation Index
> Fetch the complete documentation index at: https://docs.arcuserp.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Security & MFA Enforcement

> Require multi-factor authentication for everyone on your Arcus entity, set a grace period, choose allowed factors, and audit MFA coverage. Meets SOC 2 CC6.1 / CC6.6.

# Security & MFA Enforcement

Arcus lets every team member enroll multi-factor authentication (MFA) on their own account, and
it lets a platform owner **require** MFA for everyone on an entity. Org-level enforcement is the
control auditors look for under SOC 2 CC6.1 / CC6.6 and the one most vendor-security
questionnaires ask about.

This is a per-entity policy. In a multi-entity organization you can require MFA on the entity
that needs it (for example your accounting entity) while leaving a sandbox or dev entity relaxed.

***

## What you can configure

Open **Settings → System → Security**. You will find three controls:

| Setting                                 | Default   | What it does                                                                                                         |
| --------------------------------------- | --------- | -------------------------------------------------------------------------------------------------------------------- |
| **Require MFA for all members**         | Off       | When on, every member must enroll a factor or they are blocked from signing in.                                      |
| **Grace period for new members (days)** | 7         | How long a member has from their invite to enroll before login is blocked. `0` requires enrollment on first login.   |
| **Allowed factors**                     | All three | Which factor types satisfy the requirement: Security Key / Passkey (WebAuthn), Authenticator App (TOTP), Email Code. |

<Note>
  SMS is intentionally not offered as a factor. SMS-based MFA is vulnerable to SIM-swap attacks;
  Arcus follows the industry direction of phasing it out in favor of passkeys, security keys, and
  authenticator apps.
</Note>

***

## How enforcement works

When the policy is on and a member has not yet enrolled a factor:

1. **During the grace window** the member sees a countdown banner across the top of the app
   ("You have N days left to enroll a factor before you are locked out") with a one-click link
   to set up MFA on their Profile → Security page.
2. **When the grace window expires** the member is required to enroll before they can reach the
   rest of the app. They are routed to the MFA setup flow and cannot bypass it.

The grace window is measured from each member's invite date, so existing members and brand-new
invites are treated consistently.

<Note>
  This is an application-layer enforcement gate that works alongside the sign-in challenge
  itself. The Arcus policy decides whether an already-authenticated member must complete factor
  **enrollment** before using the app.
</Note>

***

## Avoiding lock-out

Arcus includes guardrails so you do not lock yourself or your team out:

* **You must enroll first.** If you try to turn the policy on while your own account has no MFA
  factor, the save is blocked with a prompt to enroll on your Profile → Security page first.
* **A confirmation step** tells you exactly how many members currently have no MFA and how long
  they have to enroll before they are affected.
* **You can turn it off again at any time.** Every change is recorded in your activity log.

***

## Auditing coverage

Open the **MFA Coverage** report from the Security settings page ("View full report") to see, for
every active member:

* whether they have any MFA factor enrolled,
* which factors (WebAuthn count, TOTP, Email),
* the last factor used and when.

You can export the matrix to CSV for your security questionnaire or SOC 2 evidence package.

***

## Recommended setup

For most teams:

1. Ask your team to enroll a **passkey or security key** (the strongest, phishing-resistant
   factor), with an **authenticator app** as a backup.
2. Set the grace period to **7 days** so new hires have time to enroll.
3. Keep all three factors allowed unless your security policy specifically forbids email codes.
4. Turn **Require MFA for all members** on, then watch the MFA Coverage report until everyone is
   enrolled.

See also: [Configuring Your Entity](/guides/configuring-your-entity) for the rest of your
entity setup.
