Enabling company-wide 2FA makes it mandatory for your admins, stakeholders, or both, but it does not set up 2FA for anyone automatically. Each person must activate it on their own account individually.
When you enable the requirement:
Users who already have 2FA set up are unaffected, they're already compliant
Users who don't have 2FA set up will be prompted to do so on their next login
Existing users have 5 days to activate before their access is temporarily revoked (their saved data is retained throughout)
New users joining after the requirement is enabled must set up 2FA during their account creation
The toggle is the requirement, not the setup. Turning it on does not enroll anyone in 2FA. It tells Pulley to block access for anyone who hasn't enrolled. Users complete their own enrollment via User Profile β Two-Factor Authentication. See Enable Two-Factor Authentication (2FA) as an Individual User for the individual setup steps you can share with your team.
Enable company-wide 2FA
Click Company in the left navigation bar.
Scroll down to the Two Factor Authentication section.
Toggle on one or both options depending on your organization's security requirements:
Make 2FA mandatory for company admins: If enabled, admins must set up 2FA before joining the company account. Existing admins have 5 days to activate or their access is revoked, though their saved information is retained.
Make 2FA mandatory for stakeholders: If enabled, stakeholders must set up 2FA before joining your company account. Existing stakeholders have 5 days to activate or their access is revoked, though their saved information is retained.
What your users will see
After you enable the requirement, here's what happens on the user side:
On their next login, users without 2FA will see a prompt to set it up before they can proceed
They have 5 days from when the requirement was first enabled to complete enrollment
After 5 days, users who haven't enrolled will have their access temporarily revoked, they'll see an access error when they try to log in
Their data and equity records are fully retained; access is restored as soon as they complete enrollment
Users can enroll at any time during the 5-day window via User Profile β Two-Factor Authentication
If you're enabling this for the first time, consider sending a heads-up to your admins and stakeholders before turning on the toggle so they're not caught off guard by the prompt.
What happens after a 2FA reset under a company-wide requirement
If an admin's 2FA is reset (for example, because they lost access to their authenticator app and contacted support), their access is affected differently than during the initial rollout.
Important: The 5-day grace period is not restarted by a reset. It applies only from when the company-wide requirement was first enabled, not from when a reset occurs.
After a 2FA reset under a company-wide requirement:
Their account access is temporarily blocked until they re-enroll in 2FA
They must enable 2FA on their account before they can regain access
Once re-invited, they must complete 2FA enrollment immediately, and there is no grace period
If the affected person is your only admin, contact support before proceeding. You will need support's help to restore access without locking yourself out permanently
Best practice: Ensure your company always has at least two full admins configured. This prevents a single-admin lockout if one admin loses 2FA access.
Remove company-wide 2FA
Click Company in the left navigation bar.
Scroll down to the Two Factor Authentication section.
Move the toggle to the off position (no longer lit up) for the requirement you want to disable.
Note on stakeholder behavior: Turning off the stakeholder 2FA toggle does not automatically remove 2FA from stakeholders who have already set it up. It only affects new stakeholders going forward. Existing stakeholders who enrolled in 2FA will keep it active on their accounts until they remove it manually via their own User Profile settings.
Can specific users be exempted?
Exemptions are not currently supported. When company-wide 2FA is enabled, the requirement applies to all users in that category (admins or stakeholders) without exception. If this is a blocker for your organization, contact support to discuss your options.
Troubleshooting
An admin's account access was temporarily blocked after their 2FA was reset
This is expected behavior, see the What happens after a 2FA reset section above.
A user says they activated 2FA but still can't access the account
Confirm they completed both steps: setting up 2FA in their authenticator app and entering the verification code in Pulley to confirm enrollment. Scanning the QR code alone does not complete enrollment, the 6-digit code must be entered and accepted. If they've completed both steps and are still blocked, contact support.
I turned off the stakeholder 2FA requirement but stakeholders still have it active
This is expected. Disabling the toggle removes the requirement for new stakeholders going forward but does not remove 2FA from existing accounts. Stakeholders who want to remove 2FA can do so themselves via User Profile β Two-Factor Authentication β Remove.
I enabled the requirement but users aren't seeing a prompt
Users will see the prompt on their next login, not immediately. If a user has an active session, they won't be prompted until they log out and back in, or until their session expires.
I'm the only admin and I've been locked out after a 2FA reset
Contact support at support@pulley.com immediately. Do not attempt to work around this. Support has a process for restoring access in single-admin lockout scenarios.