ServiceTitan enforces Multi-Factor Authentication (MFA) for all administrators between January 12–23, 2026. This update strengthens account security, prevents unauthorized access, and ensures all administrators follow best-practice standards. Administrators can complete MFA setup in minutes and continue using ServiceTitan with minimal disruption.
Setup
Overview
Who's impacted:
ServiceTitan employees with ServiceTitan permissions
Enterprise Hub users
What happens:
Employees with sensitive permissions who don't have MFA configured by their enforcement date are logged out and prompted to set up MFA.
Employees aren't locked out permanently. They must complete MFA setup to log back in and continue work.
Who's not impacted:
Employees who don't have sensitive permissions.
Employees who authenticate with SSO and have MFA enforced at their Identity Provider (IdP).
Recommendation: Begin preparations in early December. Don't wait until April 2nd.
Required permissions
Account configuration is required to use this feature. Please contact Technical Support for details.
Key workflows
Select the right MFA factor for your organization
ServiceTitan enables SMS authentication when you provide a phone number or it selects TOTP.
TOTP Authenticator App
Pros:
Fast login experience
No phone number
Works offline and internationally
Stronger security than SMS
Desktop authenticator options are available.
Cons:
Requires installing an authenticator app, such as Google or Microsoft Authenticator, Okta Verify, or Duo
SMS MFA
Pros:
No app is required
Familiar and fast setup
Cons:
Requires a verified mobile number
Shared devices not supported
If a phone number changes after MFA is set up, administrators with the Manage MFA permission receive a security notification.
Higher lockout risk if numbers are outdated
Delivery varies internationally
Requires a password reset for initial setup
Tip: Start TOTP only for all administrators. Add SMS later after mobile numbers are verified.
Prepare your organizations for enforcement
Before enabling MFA for any administrators, we recommend your organization complete the following cleanup work. This ensures a smooth rollout.
Role and access validation
Review all employees with roles containing sensitive permissions.
Remove administrator access from inactive or irrelevant accounts.
Ask your CSM for a list of impacted employees. The impacted employee also receives an email notification.
A new Privileged column on the Security screen lets you identify which users will be affected before enforcement is applied.
Permissions cleanup
Limit the Manage MFA permission to a small group of trusted administrators.
These administrators receive security notifications, for example, mobile number changes after MFA is enforced for SMS.
Set granular MFA permissions in ServiceTitan to control who has access and who receives notifications. Getting this right is critical.
Contact and device preparation
If you plan to support SMS MFA (optional):
Clean up your administrator employees' profiles by adding and verifying mobile numbers.
Inform administrators that SMS requires a valid mobile number and that changes trigger security alerts to administrators with the Manage MFA permission.
If you plan to support TOTP Authenticator App:
Decide which authenticator apps to recommend.
Ask administrators to install the app in advance on mobile or desktop.
Internal readiness
Establish an internal MFA support team
Identify one to three administrators to answer questions, reset or unlock accounts, and monitor alerts.
Restrict the Manage MFA permission to this small group.
These administrators receive security notifications, such as when a mobile number changes after SMS MFA setup.
If you plan to use SMS for some administrators, advise these administrators to set up an email filter to automatically organize or flag mobile-number-change notifications.
Prepare support availability for wave rollouts
Plan for the highest support activity in the hours immediately after each enforcement wave starts.
Ensure at least one MFA support administrator is available during each wave.
Notify your CSM of your enforcement schedule so they can coordinate support if needed.
Communicate expectations clearly
Notify administrators at least 72 hours before their enforcement wave.
Tell them enabling MFA will log them out immediately.
Provide links to recommended authenticator apps.
Clarify when enforcement will occur and who to contact with MFA questions to reduce help desk tickets.
Use our MFA Communication templates to notify your users of the upcoming enforcement (optional).
Prepare for edge cases
Dual-role Administrators, such as, Administrator + Technician or Administrator + Employee, may need extra guidance
MFA is tied to the individual, not the device
SSO employees with IdP MFA aren't impacted by enforcement
Administrators with unmonitored inboxes may miss important MFA communications. Confirm that their email addresses are current and monitored.
Leadership, IT, and security alignment
Notify IT and Security teams of MFA wave timing.
Confirm who is responsible for supporting administrators during MFA setup.
Discuss whether administrator rollout will act as a pilot for later expansion to other roles (optional).
Prepare internal materials and quick guides
Links to recommended authenticator apps
Steps for TOTP setup
How to store and use recovery codes
How to reach your internal support
What to expect immediately after logout and after successful setup
Enforcement process
When your organization reaches its assigned MFA enforcement date in January, ServiceTitan begins requiring MFA for all administrators who do not already have it configured.
This section explains what Administrators and points of contact (PoCs) should expect during enforcement, what tools are available, and how to resolve issues quickly.
What happens during enforcement
When enforcement begins for your cohort, any administrator without MFA configured is logged out.
When enforcement begins, SMS becomes available.
When they sign back in, they go directly to the authenticator app (TOTP) setup flow.
This is not a lockout. The employee can immediately complete the setup and continue work.
Administrators with existing MFA
If an Administrator already set up TOTP or SMS, enforcement does not interrupt their session.
If both TOTP and SMS are configured, the employee can choose their preferred factor at login.
Who is included versus excluded
Included: Employees who have any role with Administrator in the role name or who have the built-in Administrator role, even if renamed.
Excluded: Employees and technicians who are not administrators are not part of this enforcement and will not be prompted.
SSO accounts with IdP MFA enabled are exempt
If your organization uses SSO on your ServiceTitan account and your identity provider (IdP) already enforces MFA, ServiceTitan's enforcement does not impact your employees.
MFA setup flow for Administrators
When an Administrator without MFA logs in during enforcement, they see the following flow:
They are logged out when enforcement starts.
They go to the login screen and enter their credentials.
They are immediately redirected to the authenticator app (TOTP) setup screen.
A QR code appears to scan or a code to enter into the authenticator app of their choice.
They enter the 6-digit code from the app.
They receive recovery codes and must save them in a secure place.
After completing the setup, they continue into ServiceTitan.
Typical TOTP setup time is about five minutes.
This video shows the TOTP MFA setup experience.
Tools for Administrators with the Manage MFA permission
A small, trusted group of administrators should have the Manage MFA permission. They can:
Reset TOTP MFA
Clears the existing TOTP MFA configuration for an employee.
Forces the employee to log in again and set up TOTP from scratch.
Use when an employee loses access to their authenticator app or device.
Disable MFA: SMS, TOTP, or both
Removes MFA from the account (SMS only, TOTP only, or both).
Use sparingly for temporary exception scenarios.
Plan to re-enable MFA as soon as possible if required by your security policy.
Lock or unlock an account
Pauses an account during a breach investigation, suspected misuse, or long-term absence.
Unlock the account when it is safe for the employee to resume login.
View MFA status
Shows whether an administrator has MFA set up.
Helps you confirm which administrators are pending, completed, or unconfigured.
Troubleshoot MFA errors
Use the Audit Trail in ServiceTitan to investigate MFA-related issues, such as failed login attempts, repeated MFA failures, or recent account changes.
Note: If your organization uses SMS MFA, administrators with the Manage MFA permission receive email alerts when an employee's mobile number changes after MFA setup. These administrators should set up email filters to avoid missing these alerts.
What to expect during enforcement
Employees will reach out after being logged out. Even with advanced communication, some administrators will forget when they are logged out. Prepare your internal support team for questions like:
Why did I get logged out?
Which authenticator app should I use?
What if I don't want to use TOTP? Is there another option?
Some administrators will need help installing an authenticator app.
To help support administrators for MFA enforcement, follow these steps:
Step 1: Share resources:
Provide a short list of recommended apps, such as Google Authenticator, Microsoft Authenticator, or Authy.
Share clear instructions for downloading the app for iOS and Android.
Step 2: Support MFA resets
Resetting MFA forces a new login and a new setup.
Ensure at least one administrator with the Manage MFA permission is available during early enforcement hours to process resets.
Step 3: Expect increased support activity
After each enforcement wave, your internal support team and your CSM should remain on standby.
Consider scheduling extra coverage around your assigned enforcement window.
Step 4: Address SSO confusion
Some administrators may not realize MFA is enforced at their IdP, not in ServiceTitan.
Have this reminder ready: If you authenticate through SSO and MFA is enforced at your IdP, you will not see the ServiceTitan MFA screen.
Escalating issues
Effective escalation can reduce downtime dramatically.
Internal escalation path
Use this internal ladder before involving ServiceTitan:
Employee > Internal MFA Support Administrator
Internal MFA Support Administrator > Reset or disable MFA as needed
Only escalate to ServiceTitan CSM/Support if the reset flow cannot resolve the issue.
When to escalate to your CSM
Multiple employees are unable to authenticate.
There is an SSO enforcement discrepancy. For example, employees with IdP MFA still see ServiceTitan MFA prompts.
You need to adjust feature-gate configuration.
Your CSM can coordinate involvement with the Identity team if needed.
When to contact ServiceTitan Support
Unexpected behavior, for example, an MFA loop or setup that does not complete.
High-volume failures.
Suspected account compromise.
Inability to reset MFA due to permission or access issues.
After Administrator enforcement
Administrator enforcement in Winter 2025 Release (ST-76) is the first phase of a broader MFA program. Enforcement for employees and technicians is planned for a February–March, 2026 timeframe.
What to expect next
After the Administrator rollout is complete:
ServiceTitan prepares for employee and technician MFA enforcement.
You receive updated communications, timelines, and enablement materials for the February–March phases.
Future waves follow similar principles: communicate early, enable in manageable cohorts, prepare internal support, and test ahead in Practice and Next.
How Administrator enforcement prepares you
Completing the administrator rollout now makes broader enforcement significantly easier:
You have already cleaned up roles and permissions.
Your internal MFA support team is established.
Your administrators understand the MFA setup flow and reset capabilities.
Your organization has seen the login and logout behavior firsthand.
You understand which MFA factors (TOTP or SMS) work best for your employees.
Recommended post-administrator steps
After administrator enforcement is complete (late January), consider:
Reviewing your administrator rollout experience and adjusting your plan for employees and technicians.
Verifying phone numbers for SMS MFA if your organization plans to use SMS.
Preparing device guidance for technicians using personal or company-issued phones.
Confirming which employees rely on shared equipment and planning how they will handle MFA.
Coordinating with IT and Security on employee communications for upcoming waves.
Email templates
Please refer to this document for email templates.
FAQ and documentation
FAQ
Check out the most frequently asked questions for the MFA enforcement process.
Will administrators be locked out if they don’t set up MFA before enforcement?
No. They’ll be logged out and guided to complete MFA. They can continue when setup is completed.
How long does an MFA setup take?
TOTP setup takes about 5 minutes to download an authenticator and setup your account. SMS requires receiving a code and entering it.
Do we need to enable both SMS and TOTP?
No. TOTP is the only required factor for Winter 2025 Release (ST-76). SMS can be enabled later. If you select to enable both factors, employees can select the authentication factor of their choice.
What if an administrator loses their device?
They can use recovery codes or ask another administrator with the Manage MFA permission to reset MFA for them.
What if our SSO already enforces MFA?
If MFA is enforced by the IdP, those administrators are not impacted by enforcement.
What if a phone number changes after SMS is enabled?
Administrators with the Manage MFA permission receive an alert as a security measure.
Can employees self-enable MFA?
Administrators with the Manage MFA permission can enable MFA for an employee. The employee must set up their MFA upon enablement.
Can employees select between SMS and TOTP?
Yes, but during enforcement, only TOTP is required. If both are enabled, employees can select either at login.
Can we test ahead of time?
Yes, use the ServiceTitan Practice or Next environments to test MFA setup safely.
Can you turn off the MFA Phone Number Change email?
This security protocol is essential to prevent account takeovers by ensuring administrators are alerted to any changes. To manage the volume of notifications, we advise limiting the Administrator permission for MFA control to a small number of people. We recommend that those administrators responsible for MFA use an email filter to effectively manage these notifications.
Documentation
Use these articles and videos to train your team and support your rollout:
Getting ready
Videos:
Setup:
Troubleshooting: