To enforce Multi-Factor Authentication with SMS for all users in a specific user class follow these easy steps:

Navigate to Manage > Administration > Users & Groups > User Classes, and click on the Permissions button on the user class you wish to edit:

Expand the Security section, select the Two-Step Verification permission, and save your changes:

Once you've saved your changes all of the users in the selected user class will now log into the CRM using the MFA method.

Logging in with MFA

Once MFA has been enabled, and after a user logs in with their username and password, the SMS Authorization page will be shown as in the below example:

At this point the user will also receive a one-time authentication code on their phone that they need to copy into the SMS Code field.

After a valid code has been submitted the user will be logged into the CRM.

As an option, the user can check the "Remember this computer for 30 days" option shown just above the Submit button.

In this case the user will not have to log in with the SMS code in the next 30 days, but they can just log in using the standard username and password.

Managing Personal MFA Settings

After you enable the Two-Step Verification permissions for a user class, then the users that belong to that user class will no longer be able to change the Two-Step Verification option on their user settings page, as the option will be greyed out:

If you later disable the Two-Step Verification permission for a user class, then the option will reset back to what it was before for each user.

Also each user will then be able to enable or disable the Two-Step Verification option for themselves.

Generating SMS Codes Manually (for Admins only)

If needed, the CRM administrator can generate an SMS Code for any user manually from the Manage User page, using the Get SMS Code button: 

The generated code will be shown in a popup window and the code will be valid for 30 minutes: