Enforced two-step authentication for all users

From Users > Security in the Shopify organization admin, you can require all users in your organization to use two-step authentication to log in to your stores.

Considerations for enforcing two-step authentication

Enforcing two-step authentication for all users in your organization requires the User management access.

Two-step authentication can't be enforced for certain users. You can still set two-step authentication to be required for all users, but it won't be enforced for the following user types:

  • legacy staff
  • POS app-only
  • collaborator
  • users that are required to use SAML authentication
  • users logging in to Shopify POS
  • users logging in to versions of the mobile Shopify app older than version 8.72.0

After you enforce two-step authentication for all users in the Shopify organization admin, two-step authentication can't be managed for individual users. Changing your two-step enforcement setting to individual user management afterwards doesn't revert their login requirements, but does allow users to be managed individually if you want to remove the two-step authentication requirement.

For example, suppose that a user in your organization, Phillipa, is not required to use two-step authentication. You then enable enforced two-step authentication for your organization. All your users, including Phillipa, are now required to use two-step authentication to log in. Later, you change your enforcement setting back to managing specific users. Phillipa's user accounts are still set to require two-step authentication for all stores in your organization. If you want to remove the two-step authentication requirement, you can do so through her user page.

Because two-step authentication can be required through an identity provider, users that are required to use SAML authentication aren't affected by this setting. If the SAML requirement is removed from these users and you require two-step authentication in your organization, then they will be required to use two-step authentication after the change is made.

For example, suppose that you enable enforced two-step authentication for your organization. You have a user, Emmy, who is required to use SAML authentication to log in. Later, you remove Emmy's SAML requirement. She will automatically be required to use two-step authentication to log in from that point on.

Enforce two-step authentication

Steps:

  1. From the Shopify organization admin, go to Users > Security.
  2. In the Two-step authentication section, click Edit.
  3. Select Required for all users.
  4. Click Save.

Enforcing two-step authentication takes some time, depending on how many users are in your organization. A banner displays on the Security page indicating that your changes are in progress, and you'll receive an email when the process is complete. The email will also note if there were any errors during enforcement, and list all users that aren't fully enforced.

Manage errors

When you enable two-step authentication enforcement, every user account in all your stores is set to require two-step authentication. As a result, it's possible for the process to complete for some users but not for others, and for some users to have different login requirements in different stores.

For example, suppose that in your organization you have three stores. You enable enforced two-step authentication, and after the process is complete, you receive an email stating that your two-step authentication changes didn't complete for one of your users, Daveed. In this state, every user in your organization except Daveed needs to use two-step authentication to log in. This means that while Daveed might need to use two-step authentication for some of your stores, there are other stores where he can log in without authenticating.

If you receive an error after enabling two-step authentication enforcement, then try enabling enforcement again.

Steps:

  1. From the Shopify organization admin, go to Users > Security.
  2. In the Two-step authentication section, click Try again.

If enforcing two-step authentication for one of your users fails repeatedly, then contact Shopify Plus Support.

Disable two-step authentication enforcement

  1. From the Shopify organization admin, go to Users > Security.
  2. In the Two-step authentication section, click Edit.
  3. Select Specific users.
  4. Click Save.

Ready to start selling with Shopify?

Try it free