Skip to main content
2FA - Frequently Asked Questions

Common questions and queries regarding two-factor authentication (2FA) for Sage HR.

Oliver Cook avatar
Written by Oliver Cook
Updated over a week ago

What is 2FA?

Two-Factor Authentication (2FA), also known as Multi-Factor authentication (MFA), is an extra layer of protection you can use to ensure the security of your employees' Sage HR accounts beyond just their email address and password.


Do I have to use it?

There isn't a legal requirement to use 2FA, but many businesses consider it best practice to use, especially if it is to access important and confidential information.


How do I set it up?

As an admin user, you can set up 2FA for your own Sage account via account.sso.sage.com.

However, if you want your employees to also use 2FA to log into your Sage HR company you can enable 2FA from within your security settings in Sage HR. This will prompt your employees to set up 2FA the next time they log into Sage HR.


Why do I not have 2FA as an option?

Currently, 2FA is only possible for users with a Sage account login. If you have a Sage HR company that doesn't have Sage account logins enabled, 2FA is currently not available.


What do employees do after I enable 2FA?

After you enable 2FA, any employee who is required to use 2FA is prompted to set up their 2FA the next time they log in to Sage HR.


Can I turn 2FA off?

You can remove 2FA from individual employees, or you can disable any 2FA requirement for your company altogether.

However, if the employee uses their Sage account login for other Sage products, such as Sage Accounting, they may still have to use 2FA, regardless of your company's own 2FA settings.

📎NOTE: If an employee uses the same email address for another employer who also uses Sage Online Services. if they enable 2FA for the employee after you turn it off, the employee will be required to use it for your company too.


Can I choose to use it for specific employees?

Yes, rather than select it to apply to everyone, you can select specific employees.


Can I make 2FA a requirement for every new employee?

Yes, but only if you have set 2FA to apply to all employees in your company. If you don't, after you add a new employee you must manually enable 2FA for them.


What do I do if an employee doesn't have access to their phone?

Your employees need their phone to receive the one-time passcode to log in, whether that is using an authenticator app installed on their phone, or to receive a code by text or call.

If they don't have access to this phone, they can log in using the recovery code they're asked to note down and keep safe when they first set up their 2FA. they can also get a code using their recovery method, for example an alternative email address or phone number.

If they've lost this recovery code and have no access at all to any recovery method you can reset their 2FA so they can set it up again. Alternatively, you can remove 2FA just for them.

If you're unable to reset it for the employee, contact Sage support on behalf of the employee. Sage support can look into whether they can reset it for you.


What if an employee has a new phone?

If an employee needs to set up 2FA on their new phone, if you integrate with Sage 50 Payroll, you can reset their 2FA. They can then set up 2FA again the next time they log in to Sage HR.

If you don't integrate with Sage 50 Payroll, the employee can remove their device for 2FA via account.sso.sage.com. They can then set it up for a new device.


What can I do if an employee doesn't get their 2FA text?

Get them to check their signal and to wait at least 10 minutes. If they still don't get a text they can log in using the recovery code they're asked to note down and keep safe when they first set up their 2FA. They can also get a code using their recovery method, for example an alternative email address or phone number.

If they've lost this recovery code, then you can reset their 2FA so they can set it up again. Alternatively, you can remove 2FA just for them.

If they've lost this recovery code and have no access at all to any recovery method. if you integrate with Sage 50 Payroll you can reset their 2FA so they can set it up again. Alternatively, you can remove 2FA just for them.

If you don't integrate with Sage 50 Payroll, the employee can remove their device for 2FA via account.sso.sage.com. They can then set it up for a new device or same device.


Why is an employee asked to use 2FA when we don't have it enabled?

You may not have 2FA enabled for an employee, but the employee may use the same email address to access another company on Sage Online Services. If that company has 2FA enabled, they're required to use it to access any company on Online Services until one of their companies removes it.

It is also possible they use that Sage account for another Sage product, for example Sage Accounting. Therefore their requirement to use 2FA is separate from your Sage HR company's settings.

📌TIP: If you don't want an employee's 2FA being affected by another company you must request the employee provide you with a different email address for your company and you can change their email address.


We have 2FA enabled, but an employee is no longer asked for 2FA when they log in

It is possible that the employee uses the same email address to access another company on Sage HR or Sage Employee Online Services. That company may have disabled 2FA for the employee. You simply enable it again for the employee.

📌TIP: If you don't want an employee's 2FA being affected by another company you must request the employee provide you with a different email address for your company and you can change their email address.

Did this answer your question?