Two-Factor Authentication (2FA)
SMS-based verification for every login - one switch to enforce it across your entire organization
Overview
Instafill.ai supports two-factor authentication that adds an SMS verification step every time you log in. Whether you sign in with email/password, Google SSO, or Microsoft SSO, 2FA requires a 6-digit code sent to your phone before access is granted. No special apps or tokens are required - just your mobile phone.
Organization Owners can enforce 2FA for all members with a single setting. Once enabled, organization members who do not have two-factor authentication enabled will be unable to access resources owned by the organization, but will remain members until they update their settings. Outside collaborators who do not have 2FA enabled will be removed from the organization and notified.
This helps organizations meet requirements in security frameworks that mandate multi-factor authentication, including ISO 27001, HIPAA, PCI-DSS, and SOC 2. Many enterprise customers now require MFA as a baseline control before adopting cloud services, and Instafill.ai's 2FA satisfies that requirement without extra tools or integrations.
For a step-by-step setup guide, see How to set up two-factor authentication (2FA) on Instafill.ai.
Key Capabilities
| Capability | What it means for you |
|---|---|
| SMS-based verification | A 6-digit code is sent to your phone at every login. No authenticator apps, hardware tokens, or special software needed |
| Works with all login methods | 2FA applies regardless of how you sign in - email/password, Google SSO, or Microsoft SSO |
| Organization-wide enforcement | Organization Owners can require 2FA for every member. Members without 2FA enabled lose access to organization resources until they enroll |
| Owner-only control | Only Organization Owners can enable or disable the 2FA requirement. Other team members cannot modify the setting |
| Compliance alignment | Meets multi-factor authentication requirements in ISO 27001, HIPAA, PCI-DSS, and SOC 2 frameworks |
How to Set Up 2FA
1. Open organization settings
Go to Instafill.ai and click your profile icon in the top right corner. Click on your workspace name - this takes you to the workspace settings page.
2. Navigate to Authentication security
In the left sidebar under ORGANIZATION, click Authentication security. This opens the two-factor authentication settings at instafill.ai/settings/organization/authentication.
3. Enable two-factor authentication
Check the box next to Require two-factor authentication for everyone in your organization. This enforces 2FA across your entire team immediately.
Organization members who haven't set up 2FA yet will be unable to access organization resources until they enable it. Outside collaborators without 2FA will be removed from the organization and notified.
4. Log out and log back in
When you (or any team member) sign back in, a prompt asks for your phone number. Click Send code and you'll receive a 6-digit SMS code. Enter the code into the verification field and click Verify and Continue. You're signed in.
Note: Only Organization Owners can manage the 2FA enforcement setting. Other team members will see the setting as inactive with a notice that only the owner can change it. For details on organization roles, see Organization Management.
Use Cases
Healthcare: protecting patient data in credentialing workflows
Healthcare practices using Instafill.ai to fill CMS-1500 claims, credentialing applications, or insurance forms handle sensitive patient and provider data. Enabling 2FA across the organization satisfies HIPAA's technical safeguard requirements for access control to electronic PHI, without requiring a separate MFA tool.
See also: How EightAI Scaled from 350 to 1,250 Healthcare Providers by Automating Insurance Credentialing Forms - EightAI processes thousands of credentialing forms containing physician credentials and insurance data. For teams handling this volume of sensitive provider information, organization-wide 2FA ensures only authorized staff can access the workspace.
Legal: securing client matter access
Law firms handling confidential client documents - intake forms, court filings, beneficiary designations - use 2FA to ensure that a compromised password alone cannot grant access to case files. When combined with workspace isolation, each client matter is both access-controlled and cryptographically separated.
Enterprise: uniform security policy across teams
Organizations with distributed teams enforce 2FA at the organization level so that all members - whether they sign in via Google, Microsoft, or email/password - go through the same verification process. This removes reliance on individual users remembering to enable it and ensures consistent security posture across every workspace.
Benefits
- Simple SMS delivery: No apps to install, no tokens to manage. Any mobile phone that can receive SMS works
- Consistent across login methods: The same 2FA step applies whether you use email/password, Google SSO, or Microsoft SSO - no gaps between authentication methods
- One switch for the whole team: Organization Owners enforce 2FA for all members from a single setting, eliminating per-user configuration
- Compliance-ready: Satisfies MFA requirements in HIPAA, ISO 27001, PCI-DSS, and SOC 2 without additional tools or vendor contracts
- No workflow disruption: 2FA adds a few seconds to the login process. For teams that fill forms via the REST API, API key-based calls are not affected by the interactive SMS step
Security & Privacy
All account data is workspace-scoped and protected by the same encryption and isolation that applies to form data. As an AI form filler handling sensitive documents, Instafill.ai has completed an independent penetration test aligned with OWASP Top 10 and CWE/SANS Top 25, as part of its SOC 2 Type II audit preparation.
SMS verification:
- 6-digit codes delivered via SMS to the registered phone number
- Codes are single-use - a verified code cannot be replayed
Phone number handling:
- Phone numbers are displayed masked in the UI (e.g., --1234)
Authentication logging:
- Login events, including 2FA challenges, are recorded with timestamp and IP for audit purposes
Common Questions
What if I lose access to my phone?
Contact [email protected] with identity verification. The support team can help you regain access to your account so you can re-enroll with a new phone number.
To prevent lockouts, keep your phone number up to date in your account settings.
Does 2FA apply to API calls?
No. API key-based calls are authenticated by the API key itself and do not trigger an SMS prompt. The interactive 2FA step applies only to browser-based logins. This means automated workflows using the API continue to run without interruption while browser access remains protected.
Can I use an authenticator app instead of SMS?
Currently, Instafill.ai supports SMS-based 2FA. No authenticator apps or hardware tokens are required - the 6-digit code is delivered directly to your phone via SMS.
Who can enable or disable 2FA enforcement?
Only Organization Owners can toggle the 2FA requirement. Other team members cannot change this setting - they will see a notice indicating that only the organization owner can manage it. This prevents individual users from disabling the security policy set by the organization.
Does 2FA work with Google and Microsoft SSO?
Yes. After completing Google or Microsoft OAuth sign-in, the system sends a 6-digit SMS code before granting access. 2FA applies to all login methods equally - email/password, Google SSO, and Microsoft SSO all go through the same verification step.
What happens to members who haven't set up 2FA when enforcement is enabled?
Organization members who do not have 2FA enabled will be unable to access resources owned by the organization, but they remain members until they update their settings. Outside collaborators who do not have 2FA enabled will be removed from the organization and notified. You can view the organization membership list to see which users will be affected before enabling enforcement.
Which compliance frameworks require 2FA?
Multi-factor authentication is a required or strongly recommended control in several frameworks: ISO 27001 (access control), HIPAA (technical safeguards for ePHI), PCI-DSS (cardholder data access), and SOC 2 (logical access controls). Enabling organization-wide 2FA in Instafill.ai helps satisfy these requirements without additional tools.