Enforcing two-step authentication for all users in your organization with Organization Settings
From Users > Security in Organization Settings, you can require all users in your organization to use two-step authentication to log in to your stores.
On this page
Considerations for enforcing two-step authentication
Enforcing two-step authentication for all users in your organization requires the Users organization-level permission.
Two-step authentication can't be enforced for certain users. You can still set two-step authentication to be required for all users, but it won't be enforced for the following user types:
- legacy staff
- POS app only
- collaborator
- users that are required to use Security Assertion Markup Language (SAML) authentication
- users logging in to Shopify POS
- users logging in to versions of the mobile Shopify app older than version 8.72.0
After you enforce two-step authentication for all users in Organization Settings, two-step authentication can't be managed for individual users. Changing your two-step enforcement setting to individual user management afterwards doesn't revert their login requirements, but does allow users to be managed individually if you want to remove the two-step authentication requirement.
For example, suppose that a user in your organization, Phillipa, isn't required to use two-step authentication. You then activate enforced two-step authentication for your organization. All your users, including Phillipa, are now required to use two-step authentication to log in. Later, you change your enforcement setting back to managing specific users. Phillipa's user accounts are still set to require two-step authentication for all stores in your organization. If you want to remove the two-step authentication requirement, then you can do so through Phillipa's user page.
Because two-step authentication can be required through an identity provider, users that are required to use SAML authentication aren't affected by this setting. If the SAML requirement is removed from these users and you require two-step authentication in your organization, then they will be required to use two-step authentication after the change is made.
For example, suppose that you activate enforced two-step authentication for your organization. You have a user, Emmy, who is required to use SAML authentication to log in. Later, you remove Emmy's SAML requirement. Emmy is automatically required to use two-step authentication to log in from that point on.
Enforce two-step authentication
Steps:
- From your Shopify admin, click Settings.
- In the Organization section, click Users > Security.
- In the Two-step authentication section, click Change setting.
- Select Required for all users.
- Click Save.
Enforcing two-step authentication takes some time, depending on how many users are in your organization. A banner displays on the Security page indicating that your changes are in progress, and you'll receive an email when the process is complete. The email will also note whether there were any errors during enforcement, and list all users that aren't fully enforced.
Manage errors
When you activate two-step authentication enforcement, every user account in all your stores is set to require two-step authentication. As a result, it's possible for the process to complete for some users but not for others, and for some users to have different login requirements in different stores.
For example, suppose that in your organization you have three stores. You activate enforced two-step authentication, and after the process is complete, you receive an email stating that your two-step authentication changes didn't complete for one of your users, Daveed. In this state, every user in your organization except Daveed needs to use two-step authentication to log in. This means that although Daveed might need to use two-step authentication for some of your stores, there are other stores where Daveed can log in without authenticating.
If you receive an error after activating two-step authentication enforcement, then try activating enforcement again.
Steps:
- From your Shopify admin, click Settings.
- In the Organization section, click Users > Security.
- In the Two-step authentication section, click Try again.
If enforcing two-step authentication for one of your users fails repeatedly, then contact Shopify Support.
Deactivate two-step authentication enforcement
- From your Shopify admin, click Settings.
- In the Organization section, click Users > Security.
- In the Two-step authentication section, click Change setting.
- Select Specific users.
- Click Save.