<b>2FA Enforcement Rollout SOP</b>

<b>2FA Enforcement Rollout SOP</b>
Use when mandating two-factor across a team, not just suggesting it.

— Step 1: Pick TOTP or hardware keys. Disable SMS — SIM-swap defeats it.
— Step 2: Set a grace window. 7 days from first login to enroll, enforced by plugin policy.
— Step 3: Force enrollment by role. Require it for Administrator and Editor first; expand to all roles after.
— Step 4: Generate and store recovery codes offline. Test one to confirm it consumes correctly.
— Step 5: Block the grace bypass. After day 7, unenrolled accounts get login-locked, not warned.
— Step 6: Audit monthly. Pull a list of accounts without an active 2FA secret and remediate.

Run this every time.