# Enforce Two-Factor Authentication for All Extension Users

A username and password alone can be guessed, shared, or stolen. To close that gap across your whole organization, you can require two-factor authentication (2FA) for every extension. Two-factor authentication adds a second verification step on top of the password, so a login only succeeds when the person also proves they hold the extension's second factor. Once enforced, anyone signing in with an extension username and password must clear that second step before they gain access, which blocks logins that rely on stolen credentials.

## Before you begin

Confirm the following minimum versions are in place:

- Cloud Voice, version 84.14.0.24 or later.
- Cloud Voice App (desktop), version 1.4.9 or later.

:::note
The mandatory-2FA setting and the in-app setup prompt depend on these versions. Confirm both your Cloud Voice system and your users' apps are up to date before you enforce, so the setup prompt can appear for everyone who still needs it.
:::

## Enforce 2FA for all extensions

PBX (Private Branch Exchange) is the phone system that manages your extensions and calls. You configure this policy from its web portal.

:::tip
Tell your users before you turn this on, and ask them to enable 2FA in the Cloud Voice App ahead of time. Users who set it up in advance keep working without interruption, while users who are caught unaware may be signed out mid-session (see [What users experience](#what-users-experience)).
:::

1. Sign in to the PBX web portal and open **Security > Security Settings > Security Options**.
2. Under **Two-Factor Authentication**, tick **Make Two-Factor Authentication Mandatory for All Extensions**.

   
   ![Cloud Voice, the Two-Factor Authentication option enabled in the portal's security settings](/images/pbx/enforce-2fa.png)
3. Click **Save**.

:::caution
This is an organization-wide setting: it applies to every extension at once, with no per-user exception, and takes effect as soon as you save.
:::

## What users experience

What happens next depends on whether a user had already turned on 2FA in the Cloud Voice App:

- **Users who already had 2FA enabled.** Nothing changes for them. They keep working in the app without interruption.
- **Users who did not have 2FA enabled.** The next time they open, or are already signed in to, the Cloud Voice App (web or desktop) with their extension username and password, a setup window appears and prompts them to configure 2FA. If they do not finish the setup, the app signs them out automatically.

:::caution
Users who do not complete the 2FA setup are logged out automatically, including users who were already signed in. Anyone still working when you enforce this will be interrupted until they finish setting up their second factor.
:::

![Cloud Voice, the two-factor authentication setup prompt shown to users who have not yet enabled it](/images/pbx/2fa-enforcement-prompt.png)
