Skip to main content
2FA - Frequently Asked Questions

Common questions and queries regarding 2-factor authentication (2FA) for Sage HR.

Oliver Cook avatar
Written by Oliver Cook
Updated over a month ago

What is 2FA?

Two-Factor Authentication (2FA), also known as Multi-Factor authentication (MFA), is an extra layer of protection you can use to ensure the security of your employees' Sage HR accounts beyond just their email address and password.


Do I have to use it?

Sage is implementing 2FA across all its services and products. Once you're a required to use 2FA, it's usage will be mandatory.


How do I set it up?

As an admin user, you will be prompted to set up 2FA as you log in, if you haven't already done so via account.sso.sage.com.

If you want your employees also to use 2FA to log into your Sage HR company you can enable 2FA from within your security settings in Sage HR. This will prompt your employees to set up 2FA the next time they log into Sage HR. Once enabled, this can't be disabled.


What are the authentication options?

Users can authenticate in the following ways:

  • Authentication apps on smart devices

  • Mobile text

  • Phone call


Can users authenticate via email?

There is no email option for authentication. Email is only a recovery method for users with a customer type of Sage ID. The email address for a recovery method has to be a different email address to that of the Sage ID.

If you're set up as an admin only user, you can manage your own recovery method.


Why do I not have 2FA as an option?

Currently, 2FA is only possible for users with a Sage account login. If you have a Sage HR company that doesn't have Sage account logins enabled, 2FA is currently not available.


What do employees do after I enable 2FA?

After you enable 2FA for employees, they're prompted to set up their 2FA the next time they log in to Sage HR.


Can I choose to use it for specific employees?

Yes, rather than select it to apply to everyone, you can select specific employees. However, once you select them to need to use it, even if you deselect them and save your changes, they'll still be required to use 2FA.

📎NOTE: If no payslips have been uploaded to their Sage HR profile, they may still be required to use 2FA. This is because they're currently set up to use a 'customer Sage ID' to log in to your company.


What do I do if an employee doesn't have access to their authentication device?

Your employees need their phones to receive the one-time passcode to log in. That could be an authenticator app installed on their phone, or to receive a code by text or call.

If they don't have access to this phone, they can log in using the recovery code they're asked to note down and keep safe when they first set up their 2FA.

If they don't have any payslips uploaded to their profile, they may have a recovery email or phone number, to generate a recovery code or reset 2FA.

If they've lost this recovery code and have no access at all to any recovery method you can reset their 2FA so they can set it up again. Alternatively, you can remove 2FA just for them.

If you're unable to reset it for the employee, contact Sage support on behalf of the employee. Sage support can look into whether they can reset it for you.


What if an employee has a new phone?

If an employee needs to set up 2FA on their new phone, you may be able to reset 2FA for them. They can then set up 2FA again the next time they log in to Sage HR.

If you don't integrate with Sage 50 Payroll UK or Sage Payroll UK, the employee can remove their device for 2FA via account.sso.sage.com. They can then set it up for a new device.


What can I do if an employee doesn't get their 2FA text?

Get them to check their signal and to wait at least 10 minutes. If they still don't get a text they can log in using the recovery code they're asked to note down and keep safe when they first set up their 2FA. They can also get a code using their recovery method, for example an alternative email address or phone number.

If they've lost this recovery code, then reset their 2FA so they can set it up again.


Why is an employee asked to use 2FA when we don't have it enabled?

You may not have 2FA enabled for an employee, but the employee may use the same email address to access another company on Sage Online Services. If that company has 2FA enabled, they're required to use it to access any company on Online Services.

It's also possible they use the Sage account for another Sage product, for example Sage Accounting. Therefore their requirement to use 2FA is separate from your Sage HR company's settings.


Did this answer your question?