Protect privileged accounts automatically with MFA Enforcement

  • Updated on Apr 30, 2026
  • Published on Apr 28, 2026
  • 5 minute(s) read
Prev Next

Mandatory Workflow Change

This change will automatically apply to all customers with this release. Review the new workflow and update your team training materials before the release date.

ServiceTitan now requires multi-factor authentication (MFA) for all users who hold high-risk permissions, reducing the chance of unauthorized access to sensitive data and account settings. This is an improvement to the existing MFA enforcement.

MFA settings page displaying user profiles and filtering options for privileged users.

What's changing?

Before this improvement, MFA enforcement only applied to Administrator users. Users with high-risk permissions, such as the ability to view billing data or modify user roles, could log in with only a username and password. This left sensitive areas of ServiceTitan exposed.

Now, ServiceTitan automatically enforces MFA for any user who holds one or more of designated privileged permissions. On the user's next login after their employee is enrolled in the rollout, they are required to verify their identity using an existing MFA method or set one up if they have not already. Administrators can use a new Privileged column on the Security settings page to see which users will be affected before enforcement takes place.

Resources

Before and After

Before (Current)

  1. An office employee has permission to view billing or credit card information.

  2. The employee logs in using only a username and password.

  3. No additional verification is required.

  4. The employee accesses billing data without MFA protection.

Impact: Accounts with sensitive financial or administrative permissions have no additional authentication layer, increasing the risk of unauthorized access.

Try the current workflow in your account.

After

  1. ServiceTitan identifies the employee as Privileged based on their permissions.

  2. When the tenant is enrolled in the rollout, the employee's session ends and MFA is required at next login.

  3. If the employee already has MFA set up, they complete their existing SMS or time-based one-time password (TOTP) challenge.

  4. If the employee has not set up MFA, ServiceTitan sets SMS as the default method if a verified mobile number is on file. Otherwise, a TOTP setup screen appears.

  5. After the employee completes MFA setup or verification, access is granted.

Impact: All users with high-risk permissions must verify their identity at login, reducing the risk of fraud and unauthorized access to sensitive data.

Who uses this feature

  • All business types

  • Administrators

  • Region availability: All regions

 

How it works for your industry

Residential Service and Replacement

  • An office manager has the View billing or credit card information permission to process customer payments. When the enforcement reaches their tenant, the manager's next login requires MFA. If the manager already has SMS set up, they enter their code and continue. Administrators can visit Security > MFA, filter the Privileged column, and confirm the manager's phone number is verified before enforcement.

  • A back-office employee who processes invoices has the Email invoice permission. After enforcement, they are prompted to set up TOTP using an authenticator app since no verified mobile number is on file. The process takes fewer than two minutes and does not disrupt their daily workflow once complete.

  • A service coordinator has the Import/export data permission to pull job reports. ServiceTitan flags this user as Privileged, and their account requires MFA at next login. The administrator sees this user in the Privileged column and proactively notifies them before enforcement takes effect.

Commercial Service and Replacement

  • A regional operations manager has the Assign user roles permission to onboard new technicians across multiple business units. After the enforcement, the manager must complete an SMS verification code at each login. Administrators can confirm the manager's mobile number is verified ahead of time by reviewing the Security > MFA page.

  • A billing specialist holds the AR Management permission to manage accounts receivable across commercial accounts. ServiceTitan requires MFA at this user's next login. If no phone number is on file, the specialist sets up TOTP using a supported authenticator app.

  • A branch administrator has the Manage MFA permission to configure authentication settings for staff. This user is automatically flagged as Privileged. After enforcement, the administrator logs in, completes their existing MFA challenge, and proceeds without further interruption.

Residential Construction

  • A project accountant has the Edit general ledgers account permission. During the rollout, the accountant's session ends and MFA is required at next login. The administrator uses the Privileged column filter on the Security > MFA page to identify this user in advance and ensure their phone number is verified.

  • An office employee has the Import/export data permission to pull project cost reports. When their tenant is enrolled in the cohort, the employee is prompted to complete SMS verification the next time they log in.

  • A construction superintendent has the Activate/deactivate employees permission for managing seasonal crew. ServiceTitan marks this user as Privileged and requires MFA. The administrator can use the MFA Event Log, formerly MFA Error Log to monitor authentication activity after enforcement begins.

Commercial Construction

  • A financial controller holds the AR Management > Bulk charge statement balance permission. After the enforcement, the controller must complete MFA at login. Administrators can prepare by visiting Security > MFA, filtering by Privileged users, and confirming verified contact information is in place.

  • A project coordinator has the Generate API Application Key permission to manage third-party integrations. ServiceTitan requires this user to complete MFA at their next login because the permission can expose API access if compromised.

  • A compliance officer has both View billing or credit card information and Edit another user's username or password permissions. ServiceTitan flags this user as Privileged due to either permission and enforces MFA accordingly at next login.

How to Prepare?

  1. Enable the required configurations. This improvement is enforced by ServiceTitan through a cohort-based rollout.

  2. Review your Privileged users before your cohort date. Navigate to Settings > Security > MFA. Use the new Privileged column to identify which users will be required to set up MFA. Confirm that each user has a verified mobile phone number to allow SMS-based verification, or inform them they will need to configure a TOTP authenticator app.

  3. Check the rollout timeline. ServiceTitan is enrolling tenants in cohorts beginning March 30, 2026. When your tenant is enrolled, affected users will be logged out and required to complete MFA at their next login. Bookmark the Security > MFA page so you can monitor status during the rollout period.

  4. Notify affected users. Identify users who appear in the Privileged column and communicate the change before your tenant's enrollment date. Let them know they will be prompted to verify or set up MFA at their next login.

  5. Monitor activity after enforcement. Use the MFA Event Log previously labeled MFA Error Logs in the Security settings to track authentication events and identify any users who need help completing MFA setup.

Related articles