Two-factor authentication has been available in ISL Online for a while. Not everyone has turned it on. We are rolling out email verification for users without 2FA configured, starting with newer accounts on June 3 and expanding to all accounts on June 10. Users in Japan, OEM and integration account types are excluded from this rollout.
Users that do not have 2FA configured, will now be asked to verify their identity via a one-time code sent to their registered email before login completes. It takes seconds, it adds real protection.
If you and your users already have 2FA set up, nothing changes for you.
What is changing
We are enabling a new domain-level setting: “Require email verification (non-2FA configured)”.
When active, any user who logs in without 2FA configured will receive a one-time code at their registered account email. They enter the code, they get in. No new app to install, no enrollment required.
Why now
Passwords get reused, leaked, and guessed. Adding a second step at login, even a lightweight one like email verification, closes a real gap for accounts that would otherwise be protected by a single credential. This is now standard practice across most enterprise software, and it is overdue.
What you need to do
A) You already have 2FA configured
Nothing. Enjoy your day.
B) Some or all of your users do not have 2FA configured
You have three options. Pick the one that fits your organization.
Option 1: Do nothing
Once the change is rolled out, users without 2FA get a one-time code to their registered email at each login. No configuration required, and it is more secure than a password alone.
Option 2: Enable “Require 2FA” in your domain settings
This requires all users without 2FA to enroll in at least one method before their next login completes. Once enrolled, the email verification step is replaced by their chosen 2FA method. To make 2FA obligatory for your users, go to Administration > Settings > Security.
You can control which methods are permitted across your domain, and you can reset 2FA for individual users when needed, for example when someone loses their phone or gets a new one. This is the most secure option.
Option 3: Disable “Require email verification” in your domain settings
This keeps credential-only login active for your domain. The setting is yours to control. We do not recommend this from a security perspective, but the option is there.
New tools for admins
These are available now, ahead of the rollout.
- Reset 2FA for individual users. Available from the user list or the user detail page. Useful when someone loses access to their authenticator or switches devices. The reset removes their existing 2FA configuration, logs the action, and notifies the user automatically.
- Control permitted 2FA methods. Allow or restrict which methods users can register: authenticator apps, passkeys, phone numbers, or email.
- User management improvements. The user list now shows 2FA status and enrolled methods for every user. Filter and sort by 2FA status to quickly find who is covered and who still needs to set something up.
Account owners: set up a backup 2FA method
If you’re an account owner, this is worth five minutes of your time.
Domain admins can reset 2FA for any subuser. The main account owner is a different story: there is no reset path for the account owner, by anyone. If you lose access to your only 2FA method, recovering your account means contacting support and going through a verification process. It will take some time.
Set up a second method now. A passkey alongside your authenticator app, or email as a fallback. If you lose one, you still have the other.
Need help?
If you have questions about this change or need a hand getting your users ready before June 3, contact our support team. We are happy to walk you through it.