Owners can turn on a workspace-wide 'Require two-factor authentication for all members' toggle in Settings → Team. Members who haven't enrolled yet get an in-app grace banner with a link to set it up, and once the grace window passes they're prompted to enroll before they can reach the workspace. A new workspace-level security policy on Settings → Team: One toggle in Settings → Team turns on workspace-wide two-factor — Owners see a new 'Require two-factor authentication' card on the Team tab. Flip it on and every member of the workspace is held to the policy. The toggle is owner-only — other roles see the policy state but can't change it. We also won't let the policy be turned on by an owner who hasn't enrolled in two-factor themselves, since that would lock the owner out as soon as the policy took effect. Members get a grace banner before they're blocked — When a workspace turns the policy on, members who haven't enrolled yet see a persistent in-app banner reminding them to set up two-factor with a one-click link to their Profile's Security tab. Once the grace window closes, those members are bounced to enroll before they can use the workspace — but the banner gives them plenty of time to act ahead of that point. Owner-driven changes show up in your Activity feed — Turning the policy on or off is recorded on the workspace's Activity tab as 'Workspace MFA policy enabled' or 'Workspace MFA policy disabled', so there's a clear, timestamped record of who changed the security posture of your workspace and when.