Security & MFA¶
Multi-factor authentication (MFA) adds a second layer of protection to every login. Even if a password is compromised, an attacker cannot access your account without the time-based code from your authenticator app.
MFA is available on all plans — Free, Pro, and Enterprise.
What is MFA?¶
MFA uses the TOTP (Time-based One-Time Password) standard. After entering your password, you provide a 6-digit code generated by an authenticator app on your phone. The code changes every 30 seconds.
Compatible authenticator apps¶
Any TOTP-compatible app works with FSM Navigator, including:
| App | Platform |
|---|---|
| Google Authenticator | iOS, Android |
| Microsoft Authenticator | iOS, Android |
| Authy | iOS, Android, Desktop |
| 1Password | iOS, Android, Desktop |
Use an app that supports cloud backup
Apps like Authy and 1Password back up your codes, so you can recover them if you lose your phone.
Enabling MFA for your account¶
Any user can enable MFA for their own account, regardless of role.
- Click your name in the top-right corner.
- Select Security from the dropdown.
- Click Enable MFA.
- A QR code is displayed. Open your authenticator app and scan it.
- Enter the 6-digit code from the app to verify the setup.
- Click Save.
MFA is now active
From this point on, every login requires your password and a code from your authenticator app.
Disabling MFA¶
If you need to disable MFA (e.g., switching phones):
- Go to Profile → Security.
- Click Disable MFA.
- Confirm with your current 6-digit code.
Company enforcement override
If your company Owner has enforced MFA (see below), you cannot disable it. Contact your Owner to request an exemption.
Company-wide MFA enforcement¶
Owners can require every user in the company to set up MFA. This is the strongest way to protect your organization against unauthorized access.
Enabling enforcement¶
- Navigate to Settings → Security & MFA.
- Toggle Require MFA for all users to On.
- Set the enforcement date — the date from which the policy takes effect.
- Set the grace period — the number of days users have to set up MFA after the enforcement date.
- Click Save.
Owner role required
Only users with the Owner role can configure company-wide MFA enforcement. See Roles and permissions.
How the grace period works¶
The grace period gives your team time to set up their authenticator apps before enforcement kicks in.
| Setting | Description | Example |
|---|---|---|
| Enforcement date | When the policy begins | March 1, 2026 |
| Grace period | Days to comply after enforcement date | 7 days |
| Deadline | Enforcement date + grace period | March 8, 2026 |
During the grace period:
- Users see a banner reminder on every page encouraging them to set up MFA.
- Users can still log in normally while the grace period is active.
- Reminder emails are sent at 48 hours, 24 hours, and 12 hours before the deadline.
What happens when the grace period expires¶
Once the deadline passes, any user who has not set up MFA will be required to complete setup on their next login:
- The user enters their password and logs in.
- A mandatory MFA setup screen appears — it cannot be dismissed.
- The user must scan the QR code and verify a 6-digit code.
- Only after successful verification can they access the dashboard.
No bypass
Users cannot skip the forced MFA setup. This ensures 100% compliance across your organization.
Checking compliance status¶
Owners can monitor which team members have completed MFA setup:
- Go to Settings → Security & MFA.
- View the MFA Compliance section.
- Each user is shown with their status:
| Status | Meaning |
|---|---|
 Enabled | MFA is active and verified |
| Pending | User has not yet set up MFA (within grace period) |
| Overdue | Grace period expired — user will be forced to set up on next login |
| Exempted | User is exempt from the MFA requirement |
Exempting specific users¶
In some cases, you may need to exempt a user from the MFA requirement — for example, a shared kiosk account or a temporary contractor.
- Go to Settings → Security & MFA.
- Find the user in the compliance list.
- Click the Exempt toggle next to their name.
- Confirm the exemption.
Use exemptions sparingly
Every exempted account is a potential security gap. Review exemptions regularly and remove them when no longer needed.
To revoke an exemption, toggle the switch off. The user's grace period starts from that moment.
Frequently asked questions¶
What if I lose my phone?
Contact your company Owner to temporarily disable MFA on your account. If you used an authenticator app with cloud backup (like Authy), you can restore your codes on a new device.
Does MFA work with the mobile app?
Yes. When logging in through the FSM Navigator mobile app, you enter your password followed by the 6-digit code — the same flow as the web app.
Can Dispatchers or Technicians enable MFA without enforcement?
Absolutely. Any user can enable MFA for their own account at any time through Profile → Security, even if company-wide enforcement is not turned on.
Is there an extra cost for MFA?
No. MFA is included on all plans, including the Free tier.
Next steps¶
- Configure your company profile to complete your account setup.
- Invite your team and assign roles.
- Review plans and pricing to explore advanced security features.