Enforce two-factor authentication (2FA) for all users

What 2FA means in Legalsense

Two-factor authentication (2FA) strengthens access control by requiring two independent factors during login. In Legalsense, the first factor is the user’s username and password. The second factor is a time-based one-time password (TOTP) generated by a registered 2FA device, such as an authenticator app or a password manager with TOTP support. In the login flow and UI, this OTP is referred to as a security token.

Enforce 2FA system-wide

Installation-wide enforcement of 2FA is configured in the security settings.

1. Go to Settings > Security > Account settings.

2. Enable Enforce two factor authentication.

Once enforcement is enabled, every user is required to use 2FA. Users who have not yet registered a 2FA device are redirected to the mandatory setup flow on their next login. After setup is completed, users must provide a security token each time they sign in, unless an exception applies.

Optional: whitelist trusted IP addresses

To reduce login friction on trusted networks, you can whitelist specific IP addresses. When 2FA enforcement is enabled and a user signs in from a whitelisted IP address, that IP address is treated as the second factor. In this case, the user is not prompted to enter a security token.

1. Go to Settings > Security > Whitelisted IP addresses.

2. Select Add IP address.

3. Enter either:

   • A single IPv4 address (example: 203.0.113.10)

   • A CIDR range (example: 203.0.113.0/24)

IP whitelisting is commonly used for office networks with a stable egress IP, or for third-party systems that integrate with Legalsense from a fixed location. Because whitelisting reduces the effective strength of 2FA for traffic originating from those IPs, it should only be applied to controlled and well-understood network ranges.