Core Product

Multi-Factor Authentication (MFA) Enforcement

ServiceTitan enforces MFA for all administrators between January 12–23, 2026. Strengthen account security and prevent unauthorized access — setup takes minutes with minimal disruption.

New to MFA Enforcement? Start here Jump to key workflows

Product overview

See MFA Enforcement in action

Watch the step-by-step TOTP MFA setup experience — from logging in after enforcement to completing authenticator app setup and saving recovery codes.

Setup

ServiceTitan enforces MFA for all administrators between January 12–23, 2026. This update strengthens account security, prevents unauthorized access, and ensures all administrators follow best-practice standards.

Setup checklist

Set granular MFA permissions

Control who has access and who receives security notifications. Limit the Manage MFA permission to a small, trusted group.

Review all impacted administrators

Use the new Privileged column on the Security screen to identify impacted users. Remove admin access from inactive accounts.

Enable MFA for Identity Services

Configure MFA in ServiceTitan. Start with TOTP only for all administrators — add SMS later after mobile numbers are verified.

Set up MFA with Google or Microsoft Authenticator App

Ask administrators to install a TOTP authenticator app in advance. Typical setup takes about 5 minutes.

Enable MFA in Enterprise Hub

Enterprise Hub users are also impacted. Complete MFA setup for Hub administrators before the enforcement date.

Who's impacted

ServiceTitan employees with sensitive permissions and Enterprise Hub users. Employees using SSO with IdP MFA are exempt.

Not a lockout

Administrators aren't locked out permanently. They're logged out and guided to complete MFA setup — then continue work immediately.

MFA Setup Flow for Administrators

Step 1: Administrator is logged out when enforcement starts.

Step 2: They go to the login screen and enter their credentials.

Step 3: They are immediately redirected to the authenticator app (TOTP) setup screen.

Step 4: A QR code appears to scan, or a code to enter into the authenticator app of their choice.

Step 5: They enter the 6-digit code from the app.

Step 6: They receive recovery codes and must save them in a secure place.

Step 7: After completing the setup, they continue into ServiceTitan. Typical TOTP setup time is about five minutes.

Key workflows

Core workflows for preparing, managing, and supporting MFA enforcement across your organization.

Select the right MFA factor Prepare your organization Enforcement process Email templates

Select the right MFA factor for your organization

Compare TOTP Authenticator App vs. SMS MFA to choose the best fit.

TOTP Authenticator App

Pros

Fast login experience

No phone number required

Works offline and internationally

Stronger security than SMS

Desktop authenticator options available

Cons

Requires installing an authenticator app (Google/Microsoft Authenticator, Okta Verify, or Duo)

SMS MFA

Pros

No app required

Familiar and fast setup

Cons

Requires a verified mobile number

Shared devices not supported

If a phone number changes after MFA is set up, administrators with the Manage MFA permission receive a security notification.

Higher lockout risk if numbers are outdated

Delivery varies internationally

Requires a password reset for initial setup

Tip: Start TOTP only for all administrators. Add SMS later after mobile numbers are verified.

Prepare your organization for enforcement

Prepare your organizations for enforcement

Role validation, permissions cleanup, contact prep, internal readiness, and communications.

Role and access validation

Review all employees with roles containing sensitive permissions

Remove administrator access from inactive or irrelevant accounts

Ask your CSM for a list of impacted employees

Use the new Privileged column on the Security screen to identify impacted users before enforcement

Permissions cleanup

Limit the Manage MFA permission to a small group of trusted administrators

These administrators receive security notifications — e.g., mobile number changes after MFA is enforced for SMS

Set granular MFA permissions in ServiceTitan to control who has access and who receives notifications

Contact and device preparation

Clean up administrator employee profiles by adding and verifying mobile numbers (if supporting SMS)

Inform administrators that SMS requires a valid mobile number and that changes trigger security alerts to administrators with the Manage MFA permission

Decide which authenticator apps to recommend and ask administrators to install in advance

Internal readiness

Establish an internal MFA support team

Identify one to three administrators to answer questions, reset or unlock accounts, and monitor alerts

Restrict the Manage MFA permission to this small group

These administrators receive security notifications, such as when a mobile number changes after SMS MFA setup

If you plan to use SMS for some administrators, advise these administrators to set up an email filter to automatically organize or flag mobile-number-change notifications

Prepare support availability for wave rollouts

Plan for the highest support activity in the hours immediately after each enforcement wave starts

Ensure at least one MFA support administrator is available during each wave

Notify your CSM of your enforcement schedule so they can coordinate support if needed

Communicate expectations clearly

Notify administrators at least 72 hours before their enforcement wave

Tell them enabling MFA will log them out immediately

Provide links to recommended authenticator apps

Clarify when enforcement will occur and who to contact with MFA questions to reduce help desk tickets

Use the MFA Communication templates to notify your users of the upcoming enforcement (optional)

Prepare for edge cases

Dual-role administrators, such as Administrator + Technician or Administrator + Employee, may need extra guidance

MFA is tied to the individual, not the device

SSO employees with IdP MFA aren't impacted by enforcement

Administrators with unmonitored inboxes may miss important MFA communications. Confirm that their email addresses are current and monitored

Leadership, IT, and security alignment

Notify IT and Security teams of MFA wave timing

Confirm who is responsible for supporting administrators during MFA setup

Discuss whether administrator rollout will act as a pilot for later expansion to other roles (optional)

Prepare internal materials and quick guides

Links to recommended authenticator apps

Steps for TOTP setup

How to store and use recovery codes

How to reach your internal support

What to expect immediately after logout and after successful setup

Enforcement process

What to expect during enforcement, tools for Manage MFA admins, and escalation paths.

What happens during enforcement

Administrators without MFA configured are logged out when enforcement begins for their cohort

SMS becomes available when enforcement begins

When they sign back in, they are directed to the authenticator app (TOTP) setup flow — this is not a lockout

SSO accounts with IdP MFA enabled are exempt from ServiceTitan's enforcement

Administrators with existing MFA

If an administrator already set up TOTP or SMS, enforcement does not interrupt their session

If both TOTP and SMS are configured, the employee can choose their preferred factor at login

Who is included versus excluded

Included: Employees who have any role with Administrator in the role name or who have the built-in Administrator role, even if renamed

Excluded: Employees and technicians who are not administrators are not part of this enforcement and will not be prompted

Tools for administrators with Manage MFA permission

Reset TOTP MFA — clears TOTP configuration and forces the employee to set up from scratch

Disable MFA (SMS, TOTP, or both) — use sparingly for temporary exception scenarios

Lock or unlock an account — pause access during a breach investigation or long-term absence

View MFA status — confirm which administrators are pending, completed, or unconfigured

Troubleshoot MFA errors — use the Audit Trail to investigate failed login attempts and account changes

What to expect during enforcement

Employees will reach out after being logged out. Prepare your internal support team for questions like:

Why did I get logged out?

Which authenticator app should I use?

What if I don't want to use TOTP? Is there another option?

Step 1: Share resources — Provide a short list of recommended apps (Google Authenticator, Microsoft Authenticator, or Authy) and clear instructions for downloading on iOS and Android.

Step 2: Support MFA resets — Resetting MFA forces a new login and a new setup. Ensure at least one administrator with the Manage MFA permission is available during early enforcement hours.

Step 3: Expect increased support activity — After each enforcement wave, your internal support team and CSM should remain on standby. Consider scheduling extra coverage around your assigned enforcement window.

Step 4: Address SSO confusion — Some administrators may not realize MFA is enforced at their IdP, not in ServiceTitan. Reminder: If you authenticate through SSO and MFA is enforced at your IdP, you will not see the ServiceTitan MFA screen.

Escalation paths

Internal path: Employee → Internal MFA Support Administrator → Reset or disable MFA as needed. Only escalate to ServiceTitan CSM/Support if the reset flow cannot resolve the issue.

Escalate to your CSM if multiple employees can't authenticate, there's an SSO discrepancy, or you need feature-gate changes

Contact ServiceTitan Support for MFA loops, high-volume failures, suspected account compromise, or inability to reset MFA

After administrator enforcement

Administrator enforcement in Winter 2025 Release (ST-76) is the first phase of a broader MFA program. Enforcement for employees and technicians is planned for a February–March 2026 timeframe.

Review your administrator rollout experience and adjust your plan for employees and technicians

Verify phone numbers for SMS MFA, prepare device guidance for technicians, and coordinate with IT on upcoming waves

Confirm which employees rely on shared equipment and plan how they will handle MFA

Future waves follow similar principles: communicate early, enable in manageable cohorts, prepare internal support, and test ahead in Practice and Next

Email templates

Ready-to-use templates to notify your users of upcoming MFA enforcement.

MFA Communication Templates (Google Drive)

Troubleshooting & FAQ

Quick solutions to common issues and answers to frequently asked questions.

Troubleshooting

Step-by-step guides to resolve the most common issues.

Multi-Factor Authentication FAQs

Resolve & Manage MFA Errors

Deactivate or Reactivate Employee Accounts

Frequently Asked Questions

Check out the most frequently asked questions for the MFA enforcement process.

Will administrators be locked out if they don't set up MFA before enforcement?

No. They'll be logged out and guided to complete MFA. They can continue when setup is completed.

How long does an MFA setup take?

TOTP setup takes about 5 minutes to download an authenticator and set up your account. SMS requires receiving a code and entering it.

Do we need to enable both SMS and TOTP?

No. TOTP is the only required factor for Winter 2025 Release (ST-76). SMS can be enabled later. If you select to enable both factors, employees can select the authentication factor of their choice.

What if an administrator loses their device?

They can use recovery codes or ask another administrator with the Manage MFA permission to reset MFA for them.

What if our SSO already enforces MFA?

If MFA is enforced by the IdP, those administrators are not impacted by enforcement.

What if a phone number changes after SMS is enabled?

Administrators with the Manage MFA permission receive an alert as a security measure.

Can employees self-enable MFA?

Administrators with the Manage MFA permission can enable MFA for an employee. The employee must set up their MFA upon enablement.

Can employees select between SMS and TOTP?

Yes, but during enforcement, only TOTP is required. If both are enabled, employees can select either at login.

Can we test ahead of time?

Yes, use the ServiceTitan Practice or Next environments to test MFA setup safely.

Can you turn off the MFA Phone Number Change email?

This security protocol is essential to prevent account takeovers by ensuring administrators are alerted to any changes. To manage the volume of notifications, we advise limiting the Administrator permission for MFA control to a small number of people. We recommend that those administrators responsible for MFA use an email filter to effectively manage these notifications.

Documentation

Use these articles and videos to train your team and support your rollout.

Getting ready

Preparing for Multi-Factor Authentication

Videos

The Step-by-Step of Setting up MFA

Set up MFA with an Authenticator App (TOTP)

TOTP Login Experience

Setup

Enable MFA for Identity Services

Set Up MFA with Google or Microsoft Authenticator App

Enable MFA in Enterprise Hub