Multi-Factor Authentication (MFA) FAQ

  • Updated on Apr 8, 2026
  • Published on Jan 22, 2026
  • 8 minute(s) read
Prev Next

Overview

General MFA information

What permission is required to manage MFA settings?

To manage MFA settings, you must enable the Allow manage MFA permission in your profile. Go to Settings > People > Employees, edit your profile, select the Permissions tab, enable Allow manage MFA, and save your changes. For more, see Enable Multi-Factor Authentication for identity services.

What is the correct way to enable MFA for multiple employees or technicians?

To avoid login failures, enable MFA separately for office employees and technicians.

  1. Go to Settings > Security > MFA.

  2. Select and enable all office employees as a group.

  3. Select and enable all technicians as a separate group.

Note: If a user has both an office employee and a technician profile, MFA must be enabled separately for each profile type. The same mobile phone number must be listed in both profiles.

Can I test MFA in the Next and Practice environments?

Yes, you can. We recommend testing MFA for your administrator accounts before enabling it in the Go environment.

Does MFA support international phone numbers?

No, MFA currently supports only domestic phone numbers from the USA, Canada, and Australia. Phone numbers must follow the formatting standards for these countries. For employees with international phone numbers, contact your success manager.

How many login attempts are allowed before lockout?

Employees are locked out after five unsuccessful login attempts.

What triggers an MFA cooldown period?

A cooldown starts after 10 consecutive SMS code requests without successful verification.

How long is the MFA cooldown period?

The cooldown lasts one hour. If another verification is initiated during this time, the cooldown resets for another hour.

When does the Session Timeout screen appear?

It appears when:

  • You enter your password and reach the code entry screen.

  • You receive the code but take no action for 30 minutes.

  • After timeout, entering the code redirects you to an error page.

Are employees notified by email when the administrator enables MFA?

No, employees do not receive an email when MFA is enabled by an administrator.

When and where can I access my recovery codes, and who can see them?

You only see your recovery codes the first time you log in. Be sure to save them in a secure location, as you need a code if you lose access to your mobile device. Recovery codes are provided only to employees with an Administrator role.

What's the difference between the SMS and TOTP MFA methods?

SMS sends a verification code to the mobile phone number on your profile, while TOTP uses an authentication app, such as Google Authenticator, Authy, and more to generate a temporary code. Both add account security, but TOTP is generally more secure and does not depend on SMS delivery.

SMS MFA

Does SMS MFA support international phone numbers?

No, MFA currently supports only domestic phone numbers from the USA, Canada, and Australia. Phone numbers must follow the formatting standards for these countries. For employees with international phone numbers, contact your success manager.

Which phone number is used for SMS MFA?

The mobile phone number in the employee or technician profile is used for MFA.

TOTP Information

How do I reset an employee's or technician's TOTP?

Administrators can reset TOTP in two ways:

  • From MFA settings: Go to Settings > Security > MFA, click More next to the employee or technician, select Reset TOTP, then confirm.

  • From employee profile: Go to Settings > People > Employees, edit the employee profile, open Multi-Factor Authentication, click More > Reset TOTP, then confirm.

After reset, the employee or technician must set up their authentication app again at login.

When do I need to reset TOTP for an employee or technician?

You should reset TOTP when an employee or technician loses access to a mobile device or the authenticator app and needs to set it again. After you reset TOTP, the employee or technician is prompted to scan a new QR code to reconfigure their authenticator app.

Do I need a phone number to use TOTP MFA?

No, you don't need a phone number.

What Authenticator App can I use for TOTP MFA?

You can use Google or Microsoft Authenticator apps. For more, see Set up MFA with Google or Microsoft Authenticator.

Can different employees or technicians use different Authenticator Apps for TOTP MFA?

Yes, each employee or technician can select which authenticator app to use.

What kind of devices are required for the TOTP authenticator app?

The TOTP authenticator app works on both mobile devices and computers. We recommend using a mobile device, since authenticator apps are quick, reliable, and can be used on the same phone where you use the ServiceTitan app.

If employees prefer not to use their personal phones, they can instead use a browser-based authenticator extension or a desktop authenticator app installed on a Windows PC or Mac.

Is connectivity, such as internet or mobile data, required to use an authenticator app?

No, after the initial setup of the authenticator app, it no longer requires a connection to receive codes.

Troubleshooting

Why am I receiving mobile number change emails for other employees or technicians, and how can I stop it?

These emails are sent to Administrators with the Manage MFA permission only when the employee or technician has SMS MFA enabled. Because the mobile number is used for authentication, ServiceTitan alerts qualified Administrators whenever it changes.

How to reduce or stop email notifications?

  1. Confirm whether you need the Manage MFA permission:        

    1. If you create or manage new employees or technicians, this permission is still required.

    2. Other Administrators who don't manage MFA should have this permission removed.

  2. Ensure best practices for MFA setup: Administrators should verify an employee's or technician's mobile number before enabling SMS MFA to avoid authentication issues.

  3. Use this workaround to prevent a notification when updating a number:        

    1. Disable SMS MFA for the employee or technician.

    2. Update the mobile number.

    3. Save the changes.

    4. Re-enable SMS MFA.

This sequence prevents the mobile-number-change email from being triggered.

If you still find the notifications disruptive, consider limiting the Manage MFA permission to only the Administrators who actively manage authentication settings.

Why can't employees or technicians log in after MFA is enabled?

  • Browser cache issues: Have the employee or technician clear their browser cache and cookies, or try using an incognito window.

  • Outdated mobile app: Employees or technicians must have the latest version of the ServiceTitan Field Mobile App. The old app does not support MFA.

  • Incorrect credentials: Employees or technicians must enter their username, not their email address, when logging in.

  • Account lock: After 10 unsuccessful login attempts, the account will automatically be locked for security reasons.

  • Account cooldown: If employees or technicians receive a login error, have them wait for the cooldown period to expire before trying again.

If an employee or technician receives codes but still gets a Login Failed error, have them uninstall and reinstall the mobile app, clear saved passwords, and disable any remember me features.

Why doesn't password reset work when MFA is enabled?

If an employee or technician cannot receive MFA codes, you must temporarily disable MFA for them, complete the password reset, and then re-enable MFA after they have logged in successfully. Setting a temporary password while MFA is active may cause login issues.

What should I do if MFA codes are not being sent or are delayed?

  • Phone number provisioning: New numbers can take up to some time to become active in our system.

  • SMS service delays: There may be temporary service issues or outages.

  • Incorrect phone number format: Verify the number is correctly formatted in the employee or technician profile. To troubleshoot, check the MFA error logs by going to Settings > Security > MFA > More > View MFA error logs. If delays continue for more than 24 hours, Contact ServiceTitan technical support.

What do specific MFA error messages mean?

  • MFA Mobile Number is incorrect. Contact your administrator: The phone number in the employee or technician profile doesn't match the number receiving the codes, or the number is incorrectly formatted.

  • Your account is in a cooldown period: Too many failed verification attempts occurred; you must wait one hour before trying again.

  • Value is required when MFA is enabled: Indicates a missing Allow Manage MFA permission.

  • Activity Id: 00-[string]: This is a system authentication error. Try reinstalling the app or clearing your browser cache.

For more, see Resolve and manage MFA errors.

Are there browser or device requirements for MFA?

MFA works best with the latest version of Google Chrome. If you experience issues, clear your browser's cache and cookies, or try using an incognito window. On mobile devices, ensure the ServiceTitan Field Mobile App is updated to the latest version.

What happens if I replace my device, will I be locked out of my account?

You will not be locked out. We have safeguards in place for device loss or replacement, depending on the authentication method you use:

  • For SMS: Since the code is linked to your phone number, you will immediately start receiving SMS codes on your new phone.

  • For Authenticator App (TOTP): If you use an authenticator app, such as Google or Microsoft Authenticator, that supports cloud backup, you can restore your tokens to your new device simply by logging into that app.

  • Recovery and Admin Control: If you can't restore your authenticator app, or if you change your phone number, your administrator has the ability to easily disable or reset your MFA setup from the employee or technician profile. This allows you to regain access and re-enroll your new device.

Common Issues and Quick Solutions

Can't create a new employee account?

You need the Allow Manage MFA permission.

Phone number is already in use?

This can happen if a number is assigned to an active or inactive account. Contact ServiceTitan technical support to have the number cleared from the system.

Employees or technicians can't log in after MFA is enabled?

Check if you followed the bulk enablement process correctly. Clear the browser cache, ensure the mobile app is up to date, and have employees or technicians enter their username instead of their email.

Codes are not being received or are delayed?

Verify the phone number format, check the MFA error logs, and remember that new numbers can take up to some time to become active.

Related articles