2-factor Authentication (2FA), also known as Multi-Factor authentication (MFA), is an extra layer of protection you can use to ensure the security of your employees' Sage HR accounts beyond just their email address and password.

Sage is implementing 2FA across all its services and products. Once you're required to use 2FA, its usage will be mandatory.

As an admin user, you will be prompted to set up 2FA as you log in, if you haven't already done so via account.sso.sage.com.

If you want your employees also to be prompted to set up using 2FA for your Sage HR company you can enable 2FA from within your security settings in Sage HR. This will prompt your employees to set up 2FA the next time they log into Sage HR, and they aon't be able to log in until they do it.

If you disable it, employees will still be required to use 2FA if they've already set it up. They will no longer be prompted to set up 2FA if they haven't already.

Users can authenticate in the following ways:

When you select Remember me at login, Sage HR won’t ask for a 2FA code again for a set time. This helps if you often log in from the same device.

Even if you log out, Remember me can still stop 2FA prompts during that time period. If you want to enter a 2FA code every time you log in, don’t select Remember me.

Yes, however, we're unable to recommend a particular desktop authenticator, and be aware that some are not free.

Also, be aware that this would restrict you to only being able to log in to Sage HR when you have access to the computer on which the app is on. You would need to use a recovery key or backup method to log in when not at the computer.

There is no email option for authentication. Email is only a option as a backup method for users logging in with a Customer Sage account. The email address for a backup method has to be a different email address from the Sage account email address.

After you enable 2FA for employees, they're prompted to set up their 2FA the next time they log in to Sage HR.

Yes, rather than select it to apply to everyone, you can select specific employees. However, once they set up 2FA, even if you deselect them, they'll still need to use the 2FA method they set up.

Your employees need their phones to access the 6-digit code to log in. That could be an authenticator app installed on their phone, or to receive a code by text or call.

If they don't have access to this phone, they can log in using the recovery key they're asked to note down and keep safe when they first set up their 2FA.

If they use a Customer Sage account to log in, they may have a backup email or phone number, to generate a recovery key or reset 2FA.

If they've lost this recovery key and have no access at all to any backup method, they need their 2FA reset.

If an employee needs to set up 2FA on their new phone, they need their 2FA reset. They can then set up 2FA again the next time they log in to Sage HR.

Get them to check their signal and to wait at least 10 minutes. If they still don't get a text they can log in using the recovery key they're asked to note down and keep safe when they first set up their 2FA. They can also get a code using their backup method, for example an alternative email address or phone number.

If they've lost this recovery key, then reset their 2FA so they can set it up again.

You may not have 2FA enabled for an employee, but the employee may use the same email address to access another company that uses Sage HR or Sage Employee Online Services. If that company has 2FA enabled, they're required to use it to access any company for which the employee uses the same email address for.

It's also possible, if they're using a Customer Sage account, that they use the Sage account for another Sage product, for example, Sage Accounting. Therefore, their requirement to use 2FA is separate from your Sage HR company's settings.