To strengthen account security and support the needs of our enterprise customers, Gadzoom now supports Two-Factor Authentication (2FA) for all users.
This update is especially important as compliance requirements such as CMMC (required in federal contracts beginning November 2026) and SOC 2 Type II increasingly mandate stronger authentication controls. 2FA is a key part of meeting those standards—but more importantly, it provides a meaningful layer of protection for every account.
Why This Matters
Two-Factor Authentication is one of the most effective ways to protect accounts against unauthorized access. It is increasingly required by industry standards and expected by customers who rely on secure systems to manage their data.
By enabling 2FA—whether individually or across your organization—you are taking a meaningful step toward stronger security and compliance.
What This Means for You
Two-Factor Authentication adds an additional verification step during login. In addition to entering your password, you’ll be asked to confirm your identity using a second method, such as a code sent to your phone or generated by an authenticator app.
This change adds an additional quick step at log in, but it dramatically reduces the likelihood of unauthorized access—even if a password is compromised.
2FA is now available to all users and can be enabled individually at any time. For organizations, administrators also have the ability to require 2FA across their entire account.
Available Authentication Methods
Users can configure 2FA from the Login Options page. Gadzoom currently supports verification via email, SMS (text message), and authenticator apps that generate time-based one-time passwords.
While all three methods are supported under standard settings, they do not provide the same level of security. In general, authenticator apps provide the strongest protection, followed by SMS verification, with email verification offering the greatest convenience but the lowest level of security among the available options.
Organizations with stricter compliance requirements should be aware that not all methods are permitted under certain frameworks. For example, CMMC and NIST 800-171 enforcement settings do not allow email as a second authentication factor, requiring users to utilize either an authenticator app or SMS verification instead.
For organizations pursuing compliance with CMMC, NIST 800-171, or similar security frameworks, we recommend using authenticator apps whenever possible.
Administrator Controls and Enforcement
Organizations can require 2FA across all users to meet increased security requirements.
Administrators now have the ability to enforce 2FA across all users in their account. When enabling this requirement, a configurable grace period can be applied. This allows users time to set up their authentication methods without immediately disrupting access. Once the grace period ends, any user who has not configured 2FA will be required to do so at their next login before continuing.
Administrators can also configure which authentication methods are permitted within their organization. For example, organizations pursuing compliance with frameworks such as NIST 800-171 or CMMC may choose to restrict the use of email as a second authentication factor and require users to authenticate using SMS or an authenticator application instead.
While these controls can assist organizations in implementing authentication practices commonly associated with frameworks such as NIST 800-171 and CMMC, each organization remains responsible for evaluating and implementing the controls necessary to meet its specific compliance requirements.
Enabling 2FA as an Individual User
Any user can enable Two-Factor Authentication at any time by navigating to the Login Options page within their account settings.
From there, you can select your preferred authentication method and complete the brief setup process. During setup, you will also be provided with backup codes. These codes should be saved immediately and stored securely, as they play a critical role in account recovery.
Once enabled, you will be prompted for your second authentication factor each time you log in.
What to Expect if 2FA is Required
If your organization requires 2FA, you will be prompted to configure it either during the grace period or at your next login after enforcement begins.
After the grace period ends, you will not be able to access your account until you configure 2FA. This ensures that all users meet the organization’s security requirements and helps maintain compliance with applicable standards.
Recovery and Backup Codes
As part of the 2FA setup process, you will receive a set of backup codes. These codes are essential and should be treated with the same level of care as your password. We strongly recommend saving them immediately and storing them in a secure location, such as a password manager or other secure storage system.
If you lose access to your authentication device—for example, if your phone is lost, replaced, or unavailable—these backup codes can be used to log in and regain access to your account. Each backup code can only be used once.
If you misplace your backup codes but still have access to your account and an active authentication method, you can generate a new set of backup codes at any time from the Login Options page. Generating new backup codes will replace any previously issued codes, so be sure to save the newly generated set.
It is important to understand that Gadzoom does not have access to your backup codes and cannot retrieve them for you. If you lose access to both your authentication method and your backup codes, account recovery options may be limited.
After using a backup code to regain access, we recommend generating a new set of backup codes and verifying your Two-Factor Authentication settings to ensure you maintain access to your account.
Availability and Feedback
Two-Factor Authentication is now available in all Gadzoom accounts. We encourage both users and administrators to begin enabling and configuring it as soon as possible. You can get started today from the Login Options page within your account settings.
If you have questions or feedback, please contact us at customsupport@gadzoom.net.
About Gadzoom
Gadzoom enables you to generate important documents in minutes, giving you the freedom to run and manage your business without all the headaches that come with administrative responsibilities. Our company was born to make construction document management as streamlined as possible. Create a variety of government compliant safety and administrative documents at the touch of a button. If you’re interested in learning more, visit our site today.