Require every team member to use 2FA before they can access your UniLink Business or Agency account.
- Team 2FA enforcement is available on Business and Agency plans and is managed under Dashboard → Settings → Security.
- You set an enforcement date; members who haven't enabled 2FA by that date are automatically locked out.
- UniLink supports both authenticator apps (Google Authenticator, Authy) and SMS as second factors.
Running a team on UniLink means multiple people have access to your account, your client pages, and your revenue data. A single compromised password can expose everything. Enforcing two-factor authentication for every seat removes that single point of failure and keeps your account compliant with security policies your clients or partners may require.
What Team 2FA Does
Team 2FA enforcement is an account-level policy, not a per-user suggestion. Once you enable it, every team member is required to have a verified second factor on their UniLink account before they can log in and access your workspace. Members who ignore the setup prompt after you set an enforcement deadline lose access automatically — no manual intervention needed from you.
The policy covers all entry points. Whether a team member signs in through the main login page, a magic link, or a session refresh, the 2FA check runs every time. This prevents scenarios where a member bypasses the policy by using an older login method or a shared device that skips the password screen entirely.
UniLink supports two types of second factor: authenticator apps (TOTP-based apps like Google Authenticator, Authy, or 1Password) and SMS verification. Authenticator apps are more secure and work without a phone signal, so the platform recommends them. SMS is available as a fallback for members who are less comfortable with apps. Administrators cannot currently restrict which method members choose, but both satisfy the enforcement requirement.
How to Get Started
- Open Dashboard Settings. Log in to your UniLink account at app.unilink.us, click your account avatar in the top-right corner, and select Settings from the dropdown menu.
- Navigate to the Security tab. Inside Settings, find the Security tab in the left sidebar. This section contains password policies, active sessions, and team authentication settings.
- Locate Team 2FA. Scroll down to the Team Authentication panel. You will see the current status (Off by default), a toggle to enable enforcement, and a date picker for the enforcement deadline.
- Enable enforcement and set a deadline. Toggle on Require 2FA for all team members. Set an enforcement date at least 5–7 days in the future to give your team time to set up their second factor without disruption.
- Notify your team. Click Save. UniLink sends an automatic email to every team member explaining the requirement and linking to the 2FA setup guide. You can also copy the setup link from the same panel and share it in Slack or email.
How to Use Team 2FA
- Monitor setup progress. Return to Dashboard → Settings → Security to see a real-time list of team members and their 2FA status (Enabled / Pending). Follow up with anyone still showing Pending before the enforcement date.
- Handle a locked-out member. If a member is locked out after the enforcement date, go to Settings → Team → select the member → click Send 2FA Setup Reminder. This re-sends the setup email with a fresh link. You cannot bypass 2FA for them, but you can reset their second factor so they can enroll a new device.
- Reset a lost authenticator. If a member loses their phone or authenticator app, go to Settings → Team → select the member → Reset 2FA. This removes their current factor and sends a setup email. They will need to re-enroll before logging in again.
- Add a new team member after enforcement is live. New members invited after the policy is active are required to set up 2FA during their first login — the onboarding flow includes the 2FA enrollment step automatically. No extra action needed from you.
- Temporarily pause enforcement. If you need to suspend the policy (e.g., during a large team restructure), toggle off Require 2FA in the Security panel and save. Existing members retain their 2FA setup; it just stops being required. Re-enable when ready.
Key Settings
| Setting | What It Does | Recommended |
|---|---|---|
| Require 2FA for All Members | Turns the account-wide enforcement policy on or off | On |
| Enforcement Date | The deadline after which non-compliant members are locked out | 5–7 days from enable date |
| Allowed Methods | Authenticator app and/or SMS | Both (let members choose) |
| Send Setup Reminder | Manually re-sends the 2FA setup email to a specific member | Use for Pending members 2 days before deadline |
| Reset 2FA for Member | Clears a member's current second factor so they can re-enroll | Use only when member reports lost device |
Get the Most Out Of Team 2FA
The enforcement date is your most powerful lever. Too short a window (24–48 hours) and team members panic or miss the email and get locked out unexpectedly. Too long (30+ days) and people procrastinate and forget. A 5–7 day window with two reminder emails — one at enable time, one 48 hours before the deadline — consistently achieves near-100% setup rates without lockouts.
Combine 2FA enforcement with role-based access control for a layered security posture. 2FA verifies identity; roles limit what that identity can do. A team member with an Editor role who loses their phone can't do much damage even before you reset their factor — they can't access billing, can't delete pages, and can't invite new members. Review your team's roles at the same time you enable 2FA enforcement.
For agencies managing multiple client sub-accounts, 2FA at the agency level cascades to sub-account access. A team member who has 2FA on the agency account and is assigned to a client sub-account is already covered — they don't need a separate 2FA setup for each sub-account. This makes the policy easy to manage even when your team works across dozens of client workspaces.
Keep an eye on the Security tab after enforcement goes live. UniLink logs all 2FA-related events — setups, resets, and failed attempts — in the activity log. A spike in failed 2FA attempts on a single account is a sign of a credential stuffing attack in progress. You can immediately suspend that team member's account from the same panel while you investigate.
Troubleshooting
| Problem | Cause | Fix |
|---|---|---|
| Member never received the setup email | Email landed in spam or was sent to an old address | Go to Settings → Team → member → Send 2FA Setup Reminder; ask member to check spam |
| Authenticator code is rejected at login | Device clock is out of sync; TOTP codes are time-sensitive | Ask member to sync their device clock (Settings → Date & Time → Sync Now) then retry |
| Member is locked out before the enforcement date | Member manually triggered 2FA on their own account but lost the device | Go to Settings → Team → member → Reset 2FA to clear the factor and re-send setup |
| 2FA option missing in Security settings | Account is on Starter or Pro plan, not Business or Agency | Upgrade to Business or Agency plan at app.unilink.us/billing |
- Eliminates account takeover risk from stolen or reused passwords
- Enforcement deadline and progress tracking make rollout low-effort for admins
- Supports both authenticator apps and SMS to accommodate all team members
- Cascades to all sub-accounts — one policy covers the entire agency workspace
- Available only on Business and Agency plans — not on Starter or Pro
- Admins cannot force a specific 2FA method (app vs SMS) per member
- Members who lose their device need admin intervention to regain access
Frequently Asked Questions
Can I enforce 2FA for some team members but not others?
No — the enforcement policy is account-wide and applies to all team members equally. You cannot create role-specific or individual exemptions. If a specific member genuinely cannot use 2FA, you will need to remove them from the team and manage their access through other means.
What happens to a member who hasn't set up 2FA when the enforcement date arrives?
Their account is locked automatically at midnight (UTC) on the enforcement date. They can still request a password reset, but the login flow will block them after the password step until they set up a second factor. Sending them the setup link from the Team panel unblocks them immediately.
Does 2FA affect API access or integrations?
No. API keys and OAuth tokens are not subject to the 2FA enforcement policy. 2FA only applies to interactive logins through the UniLink dashboard. Integrations that use API keys continue to work normally after enforcement is enabled.
Can a team member use backup codes instead of their authenticator?
Yes. When a member sets up an authenticator app, UniLink generates a set of one-time backup codes. They can use any backup code in place of the TOTP code if they lose their device. Backup codes are single-use and can be regenerated in their personal Security settings.
Is Team 2FA the same as the 2FA on my personal UniLink account?
They are separate settings. Personal 2FA protects your own login. Team 2FA enforcement is an admin policy that requires all other members of your workspace to have 2FA enabled. You can have personal 2FA on any plan, but the team enforcement policy requires Business or Agency.
- Team 2FA enforcement is a Business/Agency feature found at Dashboard → Settings → Security.
- Always set an enforcement date 5–7 days out and send a direct setup link to your team.
- Monitor the Security panel to track who has completed setup before the deadline.
- Locked-out members can be unblocked by resetting their 2FA from the Team management panel.
- Pair 2FA with role-based access control for a complete team security posture.
Protect your UniLink workspace from unauthorized access. Enable Team 2FA today — go to app.unilink.us → Settings → Security and turn on enforcement for your entire team in under two minutes.