Enforce Multi-Factor Authentication (MFA) for employees with sensitive permissions

  • Updated on Apr 20, 2026
  • Published on Apr 2, 2026
  • 3 minute(s) read
Prev Next

Overview

To better protect customer data and critical business settings, ServiceTitan is enforcing multi-factor authentication (MFA) for employees with high-risk permissions. MFA adds a layer of protection to financial information, employee accounts, and system-wide configurations. In upcoming releases, MFA will be automatically enforced for employees who have access to sensitive permissions.

Who uses this feature

  • Administrators

  • Applies to all business types

  • Applies to all trades

Prepare employees for MFA enforcement

To reduce login disruptions when MFA enforcement begins, prepare your employees:

  • Review employees who have any of the sensitive permissions listed in the View sensitive permissions section.

  • Communicate upcoming MFA requirements to impacted employees before enforcement starts.

  • Ensure impacted employees either have a verified mobile phone number or are prepared to configure an authenticator app.

  • Audit role templates to understand which roles include sensitive permissions.

  • Schedule time for impacted employees to complete MFA setup before enforcement.

  • You can view sensitive permissions in the Privileged column on the Security > MFA screen. MFA settings page displaying user details and privileged access status for employees.

Things to know

  • MFA is required for all employees in your account who have at least one of the sensitive permissions.

  • If an employee is granted one of these permissions, MFA automatically turns on for that employee.

  • Employees who were already required to use MFA, for example, employees with the Administrator role, remain required to use MFA.

  • MFA enforcement applies regardless of how the permission is granted:        

    • Through an employee role

    • Through an individual permission override

View sensitive permissions

The following 19 permissions are considered high risk and always require an MFA when assigned to an employee.

Permission area

Area description

Permission name

User & Access Management

Permissions that allow employees to create, edit, or disable access

  • Edit employee/technician

  • Edit another user's username or password

  • View or update user employee permissions

  • Allow editing of reporting permissions

  • Activate/deactivate employees

  • Assign user roles

Security & Authentication Settings

Permissions that allow employees to control authentication or security

  • View MFA

  • Edit MFA

  • Receive Mobile Change Notification

  • Receive Incorrect Mobile Notification

Financial & Accounting Access

Permissions that provide access to financial data or customer billing

  • View billing or credit card information

  • Edit general ledger account

  • AR Management

  • AR Management > View/email customer statements

  • AR Management > Bulk charge statement balance

  • Email invoice

Data Export & Bulk Operations

Permissions that allow bulk access to company data

  • Import/export data

Mass Communication Tools

Permissions that enable system-wide communication

  • Phone settings

Integrations & API Management

Permissions that allow system-level integrations

  • Generate API Application Key

Learn about enforcement process

If an employee already has a sensitive permission

  • MFA is automatically enforced for that employee.

  • The employee is logged out of ServiceTitan.

  • On the next login attempt, the employee must either:        

    • Enter a one-time SMS code if a verified mobile phone number exists

    • Set up a Time-Based One-Time Password (TOTP) authenticator app.

For example: Employee A has View billing or credit card information enabled. When enforcement occurs, the employee is logged out and prompted to complete MFA during the next login.

If a sensitive permission is added later

  • The employee's MFA toggle automatically switches to on.

  • Administrators can't disable MFA while the employee retains that permission.

For example: Employee B did not previously have sensitive permissions. An administrator assigns Edit general ledger account to Employee B.

Result:

  • MFA automatically turns on Employee B.

  • Administrator cannot disable MFA while this permission remains assigned.

If a sensitive permission is removed

If an employee had MFA enforced due to a sensitive permission and that permission is later removed:

  • The MFA toggle remains on.

  • Admins can manually disable MFA after saving the permission change.

For example: Employee C had Edit general ledger account, and MFA was enforced.
An Administrator removes the permission and clicks Save.

Result:

  • MFA remains on.

  • Administrators can now manually switch MFA off for the employee.

Frequently Asked Questions

Can Administrators disable MFA for employees with sensitive permissions?

No. As long as an employee has at least one of the listed sensitive permissions, MFA cannot be disabled.

Does this apply to employees who are not administrators?

Yes. Any employee, whether or not they are an administrator, must use MFA if they have one or more of the listed permissions.

What happens to new employees created after enforcement?

If a new employee is assigned one of the sensitive permissions, MFA is automatically turned on for that employee. Administrators cannot disable MFA while the sensitive permission remains assigned.

Want to learn more?

Related articles