Multi-factor authentication (MFA) helps keep staff accounts secure and reduces the risk of unauthorised access. You can add a required verification method for each role so that everyone logs in safely and consistently.
Required verification methods are available for both single-site and organisation-level roles. Organisation-level roles can also assign required verification methods to roles in their individual sites.
Assigning Required Verification Methods for a Role
To assign a required verification method when creating a new staff role:
Head to your Settings
Go to Staff, then select Roles and permissions
Add a new role by giving it a title
Select the required verification methods for this role
You can choose to assign Single Sign-On (SSO) if this has been enabled on your account, and Password + Multi-factor authentication (MFA)
You can choose one or both verification methods
Check the permissions you want to give this role to customise their access
Assigning or Editing Verification Methods for Existing Staff
You can also assign or change the required verification method for a staff member's role after a role has been created.
To assign a required verification method to your roles:
Click on the Home icon in your sidebar
Go to Staff, then Manage roles and permissions and click the Roles tab
Find the role you want to add or update the required verification method for
Click anywhere on the row to add or edit a role's Required verification methods
Choose or update the verification method for this role in the Required verification methods section
Save your changes
This allows you to make sure everyone is using the appropriate verification method without needing to create a new role.
Checking Which Verification Method Staff Use
You can see which required verification method is assigned to each staff member by:
Going to the Home icon in your sidebar
Clicking Staff
From here, you can check the Active verification column to see if staff members have a verification method enabled
By clicking the Roles tab, you can check the Required login methods column to see which method each staff member uses, and you can also edit their required login method from this column by clicking anywhere on the row.
π‘ Organisation-level settings also show this information, and you can assign required verification methods to organisation members and to staff in individual sites
What Happens Once a Verification Method Is Enabled
If you have enabled SSO or MFA for a role, staff will follow a quick setup process next time they log in.
For Existing Staff
They click Continue with SSO if SSO is enabled
If MFA is required, they will be prompted to scan a QR code on their smartphone
They enter the 6-digit code shown in their authenticator app
They click Activate multi-factor authentication to confirm
Recovery codes will appear and should be printed, copied or downloaded for safekeeping. These can be used if the staff member cannot log in with MFA in the future
π‘ If SSO is enabled but staff have previously been able to log in with passwords, it will take 30 days before their accounts are no longer displayed on the login page carousels
For New Staff Creating an Account
If you add a new role with a required verification method, new staff will complete the setup when creating their account.
After clicking their invitation link, they create and confirm a password
They create a 4-digit pin
They will then see a QR code and must scan it with their smartphone
They enter the code that appears in their authenticator app and click Activate multi-factor authentication
Recovery codes will appear and should be printed, copied or downloaded so they can be used if the staff member cannot log in with MFA later