Mandatory Workflow Change
This change will automatically apply to all customers with this release. Review the new workflow and update your team training materials before the release date.
This improvement to multi-factor authentication (MFA) in Enterprise Hub (EH) gives every EH account baseline security from their first login, helping reduce gaps that can leave your account exposed.
.png?sv=2022-11-02&spr=https&st=2026-05-14T12%3A00%3A31Z&se=2026-05-14T12%3A14%3A31Z&sr=c&sp=r&sig=69eSVsL10yNX5ba%2BdKWMxMqNsPe63jKH%2B9jJunxROH4%3D)
What's changing?
Previously, Enterprise Hub (EH) users could exist without multi-factor authentication (MFA) configured unless an administrator manually set it up. This left some accounts unprotected, especially when new users were created and no one took the extra step to turn on security settings. With this improvement, all EH users now have time-based one-time password (TOTP) enabled by default. If a user has a phone number on file, SMS is also enabled. New users are provisioned with TOTP active at creation. At least one MFA method must remain active for every EH user — no account can have all methods turned off. Administrators can still manage MFA per user from the User Page or the Security tab, and accounts already enforced under earlier MFA rollouts are not affected.
Resources
Before and After
Before (Current)
An administrator creates a new Enterprise Hub (EH) user to manage tenant configurations.
The new user is added without multi-factor authentication (MFA) enabled.
An administrator must manually enable time-based one-time password (TOTP) or SMS for that user.
If no action is taken, the user logs in with no MFA protection in place.
Impact: EH users may access network-level controls without any MFA active, creating security exposure across your organization.
Try the current workflow in your account.
After
An administrator creates a new Enterprise Hub (EH) user to manage tenant configurations.
Time-based one-time password (TOTP) is enabled for the new user automatically at creation.
If the user has a phone number on file, SMS is also enabled.
The user completes MFA setup at their next login.
At least one MFA method remains active — no account can be left unprotected.
Impact: All EH users have baseline MFA protection from their first login, reducing security risk across your Enterprise Hub network.
Who uses this feature
All business types
Administrators
Region availability: All regions
How it works for your industry
Residential Service and Replacement
A multi-location heating, ventilation, and air conditioning (HVAC) company uses Enterprise Hub (EH) to manage five tenant locations. An administrator adds a new EH user to oversee tenant-level settings. Time-based one-time password (TOTP) is enabled for the new user automatically at creation — no manual security setup is needed.
A business owner reviews their Enterprise Hub network after an employee leaves. The replacement EH user is created with TOTP active by default, so the account is protected before their first login.
An administrator needs to switch a user from TOTP to SMS authentication. As long as the user has a phone number on file and SMS remains active, TOTP can be turned off — keeping the account protected with at least one multi-factor authentication (MFA) method.
Commercial Service and Replacement
A commercial plumbing contractor manages multiple regional offices through Enterprise Hub (EH). A new office manager is added as an EH user to handle tenant configurations. Time-based one-time password (TOTP) is enabled automatically — no additional steps are needed to secure the account during onboarding.
An administrator verifies the security posture of the network before an internal audit. All EH users have at least one multi-factor authentication (MFA) method active — no accounts exist in an unprotected state.
A new EH user is created with a phone number on file. Both TOTP and SMS are enabled at creation, giving the user two options when they verify their identity at login.
Residential Construction
A residential builder uses Enterprise Hub (EH) to oversee procurement and user access across several subsidiary tenants. A project coordinator is added as a new EH user. Time-based one-time password (TOTP) is active from the moment the account is created, so the coordinator logs in securely on their first attempt.
A team member's EH access needs to be reviewed after a role change. An administrator checks MFA settings from the User Page and sees TOTP is already configured — no additional action is required.
An EH user created without a phone number on file still has TOTP enabled by default. This ensures every account has at least one multi-factor authentication (MFA) method active, even when SMS is not available.
Commercial Construction
A commercial general contractor managing multiple entity tenants through Enterprise Hub (EH) adds a new project administrator. Time-based one-time password (TOTP) is enabled automatically at account creation, reducing the risk of unauthorized access to tenant-level configurations.
A network administrator confirms all EH users meet the company's internal security policy. All accounts have at least one multi-factor authentication (MFA) method active, making the review straightforward.
An EH user who was already enforced under a previous MFA rollout is not affected by this improvement. Their existing settings remain in place.
How to Prepare?
ServiceTitan will enable this improvement for your Enterprise Hub network as part of a gradual rollout. No action is needed to request access.
Confirm that Enterprise Hub users who prefer SMS authentication have a phone number saved in their user profile before the rollout reaches your network.
Train administrators on how to manage MFA settings per user from the User screen and the Security tab in Enterprise Hub.
Align your team on the minimum protection rule: at least one MFA method must remain active for every EH user.