Configure allowed 2FA methods for users

If you're a Super Admin in your HubSpot account, you can define which two-factor authentication (2FA) methods HubSpot users can use for login. You can limit the available 2FA options to align with your organization’s security policies. For example, if your company policy requires ‌authenticator apps for all logins, you can turn off text messages as a 2FA method to ensure compliance. 

Before you get started

• The setting is turned off by default, allowing all HubSpot-offered 2FA methods. 
• The HubSpot mobile app will always be turned on by default as a 2FA method and cannot be turned off. 

• This setting limits 2FA methods when logging in through a browser only. It does not limit 2FA methods when logging in through the HubSpot mobile app. For example, if your account has limited 2FA options, users logging in through the HubSpot mobile app can still use all HubSpot-offered 2FA methods.

Configure allowed 2FA methods

This process will differ slightly if you're setting up login methods for the first time in your HubSpot account or if you have already set them up before. 

Configure allowed 2FA methods during portal login settings setup

If you're a Super Admin setting up portal login methods for the first time:

1. In your HubSpot account, click the settings settings icon in the top navigation bar.
2. In the left sidebar menu, navigate to Security.
3. On the Login tab, click Setup Portal Login Settings.

4. If you'd like to set up single sign-on, click Set up SSO and click Next. Learn more about setting up SSO.
5. Select the login methods you'd like to allow for your users, the date it should be enforced from, and any users you'd like to exempt from the login method. Then, click Next.
6. On the 2FA is required for your portal. Choose which 2FA methods are allowed. page, select at least two 2FA methods to continue: 
   • HubSpot Mobile App: receive a notification from the HubSpot app. 
   • Authenticator App (recommended): enter a one-time code from an app like Google Authenticator, Authy, or Duo. 
   • Text message: enter a one-time code sent via text message.

Please note: the HubSpot Mobile App is selected as a 2FA method by default and cannot be turned off.

7. Click Next.
8. Continue setting up the login methods. 

Configure allowed 2FA methods (existing login method setup)

If you have already set up login methods in the past: 

1. In your HubSpot account, click the settings settings icon in the top navigation bar.
2. In the left sidebar menu, navigate to Security.
3. On the Login tab, click 
   click to toggle the Configure allowed two-factor authentication (2FA) methods switch on.
4. Select the checkboxes for the 2FA methods you want to allow for your users:
   • Authenticator app (recommended): enter a one-time code from an app like Google Authenticator, Authy, or Duo. 
   • Text message: enter a one-time code sent via text message
   • HubSpot mobile app: receive a notification from the HubSpot app. 

Please note: the HubSpot mobile app is selected as a 2FA method by default and cannot be turned off.

5. Once you're done, click Save in the bottom left.

Impact of changing allowed 2FA methods 

When you configure or change the allowed 2FA methods in your HubSpot account, the user experience will vary depending on whether they have already set up a 2FA method or not. 

• For users with an existing 2FA method that is no longer allowed: the user will be able to log in with that 2FA method the next time they log in. After ‌logging in, the user will be prompted to set up one of the allowed methods for future logins. 
• For users who do not have any 2FA method set up: after entering their username and password, the user will be prompted to enter a verification code sent to their email. Following this, they will be prompted to set up one of the allowed 2FA methods.