Two-Factor Authentication (2FA), also known as Multi-Factor authentication (MFA), is an extra layer of protection you can use to ensure the security of your employees' Sage HR accounts beyond just their email address and password.

Sage is implementing 2FA across all its services and products. Once you're a required to use 2FA, it's usage will be mandatory.

As an admin user, you will be prompted to set up 2FA as you log in, if you haven't already done so via account.sso.sage.com.

If you want your employees also to use 2FA to log into your Sage HR company you can enable 2FA from within your security settings in Sage HR. This will prompt your employees to set up 2FA the next time they log into Sage HR. Once enabled, this can't be disabled.

Users can authenticate in the following ways:

There is no email option for authentication. Email is only a recovery method for users with a customer type of Sage ID. The email address for a recovery method has to be a different email address to that of the Sage ID.

If you're set up as an admin only user, you can manage your own recovery method.

Currently, 2FA is only possible for users with a Sage account login. If you have a Sage HR company that doesn't have Sage account logins enabled, 2FA is currently not available.

After you enable 2FA for employees, they're prompted to set up their 2FA the next time they log in to Sage HR.

Yes, rather than select it to apply to everyone, you can select specific employees. However, once you select them to need to use it, even if you deselect them and save your changes, they'll still be required to use 2FA.

Your employees need their phones to receive the one-time passcode to log in. That could be an authenticator app installed on their phone, or to receive a code by text or call.

If they don't have access to this phone, they can log in using the recovery code they're asked to note down and keep safe when they first set up their 2FA.

If they don't have any payslips uploaded to their profile, they may have a recovery email or phone number, to generate a recovery code or reset 2FA.

If they've lost this recovery code and have no access at all to any recovery method you can reset their 2FA so they can set it up again. Alternatively, you can remove 2FA just for them.

If you're unable to reset it for the employee, contact Sage support on behalf of the employee. Sage support can look into whether they can reset it for you.

If an employee needs to set up 2FA on their new phone, you may be able to reset 2FA for them. They can then set up 2FA again the next time they log in to Sage HR.

If you don't integrate with Sage 50 Payroll UK or Sage Payroll UK, the employee can remove their device for 2FA via account.sso.sage.com. They can then set it up for a new device.

Get them to check their signal and to wait at least 10 minutes. If they still don't get a text they can log in using the recovery code they're asked to note down and keep safe when they first set up their 2FA. They can also get a code using their recovery method, for example an alternative email address or phone number.

If they've lost this recovery code, then reset their 2FA so they can set it up again.

You may not have 2FA enabled for an employee, but the employee may use the same email address to access another company on Sage Online Services. If that company has 2FA enabled, they're required to use it to access any company on Online Services.

It's also possible they use the Sage account for another Sage product, for example Sage Accounting. Therefore their requirement to use 2FA is separate from your Sage HR company's settings.