ClickUp, this is not a “nice to have”, it is a critical need for enterprise security.

When SSO is enforced via a mature IdP (Okta, Entra, etc.), MFA is already mandatory, audited, and policy driven. Requiring ClickUp MFA on top of that creates redundant authentication, session churn, and user friction that does not exist with other enterprise SaaS platforms.

At the same time, we must be able to enforce MFA for non-SSO users and guests to meet audit, regulatory, and third-party risk requirements.

Granular MFA enforcement based on authentication method (SSO vs native login) is essential for enterprise adoption. Without it, customers are forced to choose between audit failure and degraded user experience, which is an unacceptable tradeoff.

My org wants this feature as well. Every time someone logs in via our IDP, the session is wiped and they are prompted for MFA. This causes unnecessary friction and probably happens to each user multiple times per day. (Accessing our apps from the IDP portal is a very common workflow.) Our users are already questioning why this only happens with ClickUp and not any of our other tools.

We can't turn MFA off becuase we need to require it for guests.

Not enabling 2FA puts us risk to fail security audits (all 3rd party access must have 2fa enabled) and prevents us from inviting guests, but enabling it for sso users makes them hate us.

Hello, commenting on this, definitely a need for the same reasons highlighted by Matthew Wasbrough. We enforce 2FA on our (internal) identity provider, so no need for 2FA for us, but for guests/supporters who use username/password, this is a must. Having the possibility to divide this the same way it happens for the SSO makes a lot of sense.

Commenting to try and boost visibility, also related to https://feedback.clickup.com/feature-requests/p/2fa-mandatory-for-guests-only-but-not-members

With SSO turned on for full members (for my company) Microsoft already has 2FA enforced so this isn't needed for full members. Guests cannot use the same Microsoft SSO as they are external to the company, but I would like to enforce 2FA for them.

Just to add to this, my understanding is that 2FA is "all or nothing".

I'd love the ability to granularly enforce 2FA for non-SSO users this should cover guest access too as there might be some users with the need to sharing sensitive data and this extra layer would be great to see.

Same problem here, the 2FA has a bit left to desire. I.e., it would be nice to enforce it only for password logins, and to also be able to trust a device so we don't have to use it every time on the same device.

I agree It would be great if you could add an option, forcing the 2fa only for users managed in ClickUp.

How can we solve a login issue with 2fa when the app is uninstalled or the device is lost?