Can I enforce firm staff users to setup two factor authentication?

Yes, Firm Admin users can turn on the policy to require all firm staff users to set up two factor authentication.

This can be done from the settings -> users screen:

(Note: This option only shows up after the admin has themselves set up two-factor authentication)

What's the flow for the other users?

Once this is turned on for the firm - the firm staff users will start to see a notice on the dashboard screen in DecisionVault:

They can click through to set it up - or if they don't then after 3 days they are automatically redirected and are required to set it up before they can use the tool:

What happens when I invite a new firm staff user?

When this policy is turned on then any newly invited in the future will have 3 days to set up 2FA from the moment that they click on the invite link and create their account.

Does this also apply to my client users?

It does not.