Enhance security for your mentoring program with Multi-Factor Authentication
Note: MFA is only available for password authenticated users.
What is Multi-Factor Authentication?
Multi-Factor Authentication (MFA) adds an extra security layer to accounts in your program by requiring a time-based code from an authenticator app in addition to a password. This significantly reduces the risk of unauthorized account access, even if passwords are compromised.
Note about SSO users
Participants using Single Sign-On (SSO) through your organization's identity provider (such as Okta, Microsoft Entra ID, etc.) manage their MFA settings through that system, not through Mentorloop. MFA enforcement for SSO users should be configured in your identity provider.
How MFA works for participants
By default, MFA is optional for participants. They can:
- Enable MFA themselves through their Account settings → Add MFA
- Use any TOTP-compatible authenticator app such as Google Authenticator, Microsoft Authenticator, or Twilio Authy
- Remove MFA at any time (unless program-level enforcement is enabled)
When participants enable MFA, they'll scan a QR code with their authenticator app during setup. After that, they'll enter a 6-digit time-based code each time they log in.
Enforcing MFA for your program
Program-level enforcement
Program-level MFA enforcement is available for all customers and must be configured by the Mentorloop Customer Success team.
If you need to require MFA for all participants in your program due to security or compliance requirements, contact your Customer Success Manager or the Mentorloop support team to request program-level enforcement.
What happens when MFA is enforced?
Once program-level MFA enforcement is enabled:
- All participants will be required to set up MFA before they can access the program
- New participants will be prompted to configure MFA during their first login
- Existing participants will be prompted to configure MFA the next time they log in
- The remove MFA button will be disabled - participants cannot disable MFA while enrolled in the program
- Participants can still manage their MFA settings (such as re-scanning the QR code if they get a new phone)
Current enforcement scope
Currently, MFA enforcement applies to all users (participants, PCs, and Org admins) in the program using password authentication. Role-specific enforcement (such as Program Coordinators or Org admins only) is not available.
Supporting your participants
Communication and change management
When implementing MFA for your program, we recommend:
- Provide advance notice - Give participants at least 1-2 weeks notice before enforcement begins.
- Explain the benefits - Help participants understand why MFA protects them and the program.
- Share setup instructions - Link to the participant MFA Help Hub article.
- Offer support - Be prepared to help participants who have questions or technical issues.
- Plan for phone migrations - Remind participants to migrate their authenticator codes when getting new devices.
Common participant questions
Which authenticator app should I use?
Any TOTP-compatible app works. Popular options include Google Authenticator, Microsoft Authenticator, and Twilo Authy. All are free and work similarly.
Can I use SMS for MFA codes?
No, Mentorloop supports authenticator app-based MFA (TOTP). Authenticator apps are more secure than SMS and work without cellular connectivity.
What happens if I get a new phone?
Participants should migrate their authenticator codes using their app's built-in transfer feature before switching devices. If they've already switched and lost access, contact Mentorloop support to reset their MFA.
I lost access to my authenticator app. What do I do?
Contact Mentorloop support to reset the participant's MFA. They'll be able to set it up again with a new QR code.
Resetting participant MFA
If a participant loses access to their authenticator app and cannot log in, you can request an MFA reset by contacting Mentorloop support. You'll need to provide:
- The participant's email address
- Your program name
- Confirmation that you've verified the participant's identity
Support will reset the MFA for that participant, allowing them to set it up again during their next login.
MFA and Compliance
Many organizations require MFA to meet security or compliance requirements such as:
- Information governance policies
- Data protection regulations
- Industry compliance standards (SOC 2, ISO 27001, etc.)
- Institutional security requirements
If your organization has specific MFA requirements or needs documentation for compliance purposes, contact your Customer Success Manager.
Best practices for Program Coordinators
Recommendations
- Enable MFA yourself first - Experience the setup process before rolling it out.
- Create a rollout plan - Plan your communication strategy and support resources.
- Update your onboarding materials - Include MFA setup in participant welcome materials if enforcement is enabled.
- Be available for support - Expect questions during the first week after rollout.
- Document your process - Keep notes on common issues and solutions for future reference.
Technical details
Authentication Technology
Mentorloop MFA uses TOTP (Time-based One-Time Password), an open standard that generates codes based on the current time. This means:
- Codes expire every 30 seconds
- No internet connection is required on the participant's phone (time-based only)
- Compatible with all major authenticator apps
- Industry-standard security approach used by major platforms
Security features
- Secure setup: MFA must be configured with both password and a valid code.
- Secure removal: Removing MFA requires both password and current MFA code.
- Program enforcement: When enabled, prevents participants from accessing program data without MFA and from disabling MFA.
- Support reset capability: Mentorloop support can reset a user's MFA.
Need help?
For questions about MFA enforcement or participant support, contact your Customer Success Manager or Mentorloop Support.