Multifactor Authentication (MFA)

Table of contents

What is multifactor authentication (MFA)?

Multifactor authentication increases the security of your account by requiring a second method for authenticating your identity, such as access to your email or mobile device. Rather than just entering a password, you are also required to verify your log in via this second method. This can prevent unauthorized access to your account by individuals who may steal or guess your password.

When multifactor authentication is turned on and a user tries to log in, a dialog will appear that looks like the below:



Then, the authentication code is emailed immediately to the email address associated with your account. You can then enter the authentication code to log into Everlaw. The code is valid for ten minutes after it is sent. If needed, you can click the “Email a new code” link on the login page to send a new authentication code to your email.

MFA at an organization level 

If you are an Organization Administrator, you can require multifactor authentication for all projects within your organization. In order to do this, navigate to the Security Settings tab under Projects and Users on the Org Admin page. If you choose to toggle MFA to be required for all projects, project-level MFA settings will be overridden. If you choose to not require MFA, individual projects will be able to configure their own multifactor authentication requirements. 


Note: If an Organization Admin chooses to require MFA for all projects and then reverts the change, all projects’ settings will be restored to their setting before the override. For more information on Organization Administrators and organization-level settings, please read our article here on organization and project administration. 

MFA at a project level

If you are a Project Administrator, you can choose whether or not to enable multifactor authentication for a project. This requires all users on the project to go through the additional authentication step when they log out and back in using a new device. To enable multifactor authentication project-wide, navigate to the General tab in Project Settings. Within Multifactor Authentication, click the toggle to enable it. If the toggle is green, then multifactor authentication is turned on. 


Note: In some cases, Multifactor Authentication settings or Email Notifications for Message Content settings will be disabled at the project level. This is because the setting has been enforced at the organization level by an organization administrator.

MFA at a user level

You can edit your user security settings by clicking your designated first name in the top right of the screen. To require two-factor authentication for your account on the project, check the "Require Two-Factor Authentication" box. Note that these settings are at the user level only. Project administrators can set multifactor authentication rules for the overall project and organization administrators can enforce multifactor authentication for the overall organization. These rules will override those you set at the user level. 

If you check the "Remember this computer" box on the log in screen, Everlaw will remember your computer or tablet for thirty days. During these thirty days, you will not need to re-authenticate when logging in with the same device. This does not apply if you disable cookies, clear your browser history, or use a different browser. 

As an alternative to email authentication, you can add an authentication device, like a smartphone or tablet. To add an authentication device, click the green plus icon by the authentication device option in the user profile page. A screen will pop up displaying instructions on how to use a mobile authenticator app to scan the QR code. You can use any QR code reader to scan the QR code in the dialog box. If you would like to remove your device, click on the “Delete this device” icon. If you don’t have your device when logging in, you can click the “Email a new code” link on the login page to send an authentication code to your email.


On the user profile page you can also see a list of trusted sessions. You can use this to audit when and where your account was accessed. You can delete your history of trusted sessions by clicking the trashcan icon next to the "trusted sessions" header.


Have more questions? Submit a request


Article is closed for comments.