MFA and sessions
Know how MFA is enforced, when grace periods apply, and why some operations demand a fresh second factor mid-session.
MFA enforcement
Multi-factor authentication is required for elevated roles — administrators, partner owners, and other accounts with privileged access. Standard member accounts are strongly encouraged but not forced to enroll.
Grace period
When an account becomes subject to the MFA requirement (a new admin, a newly elevated role), it receives a grace period to enroll a second factor. During the grace period the account works normally and sees enrollment reminders. After it expires, access to protected surfaces requires completed enrollment.
Recommended factors
- Passkeys are the preferred factor: phishing-resistant, no codes to copy, user verification enforced at the authenticator.
- TOTP authenticator apps are supported as a conventional second factor.
- Recovery codes back up both — see account recovery.
Step-up authentication
Holding a session is not enough for everything. Sensitive operations require step-up: a fresh second-factor proof (AAL2) completed within a short recency window, even if you authenticated earlier the same day.
Operations gated behind step-up include:
- Resetting another user's MFA
- Changing user roles
- Forcing a password reset
- Issuing or revoking SCIM provisioning tokens
- Revoking your own sessions
If the proof is missing or stale, the server rejects the request and the application prompts you to re-verify. This is enforced server-side; it cannot be bypassed by a modified client.
Step-up is why a stolen laptop with an open session cannot quietly escalate privileges. The attacker would still need your second factor, freshly.
Session management
You can review and control your active sessions from account security settings at os.thequantumclub.com:
- List every active session with device and sign-in context.
- Revoke any session, including all sessions at once.
Revoking a session is itself a sensitive operation and requires a fresh step-up proof. This prevents an attacker who hijacked one session from using it to evict the legitimate owner's other sessions.
Guidance for organization admins
Enroll passkeys first
Direct users to enroll a passkey before relying on TOTP. Passkeys remove the most common phishing path entirely.
Treat the grace period as a deadline
Track which elevated accounts are still inside their grace window and chase enrollment before it lapses, not after.
Expect step-up prompts
Train admins that re-verification during sensitive actions is normal and deliberate. A step-up prompt that appears when no sensitive action was attempted is worth reporting.
You know which roles must have MFA, what the grace period does, which operations demand a fresh AAL2 proof, and how users revoke their own sessions.
Related
Security model
Walk the defense-in-depth model layer by layer — authentication, database-level authorization, rate limiting, and anomaly detection containing each other's failures.
Account recovery for organizations
Know the five ways your users get back in when a credential is lost — and what to tell them before they lose anything.