Two-factor authentication FAQ
Account-wide two-factor authentication is available for all Harvest accounts and is required for all Harvest accounts connected to Xero. We have answers below to some questions you might have about what this means and how it affects you and your teammates.
You can learn more about what 2FA is and how to enable and disable it in the following articles:
- Enabling two-factor authentication (2FA) in Harvest
- Enabling and disabling two-factor authentication in your profile
- Troubleshooting sign in issues with two-factor authentication
If you have any other questions, please use the Contact Us button at the top right.
Why is my account required to enable 2FA?
As of December 1, 2022, any Harvest account that uses the Xero integration is required to use 2FA for signing in to Harvest. This is a new requirement from Xero and offers a higher level of account security.
What will happen when I enable 2FA?
Once two-factor authentication is enabled, every person in your Harvest account will need both a password and a generated code (sent by email or authenticator app) to sign in to Harvest. When an Administrator first enables 2FA for the whole account, everyone on the account (including that Administrator) will be signed out of Harvest. They’ll be asked to set up 2FA for their profile the next time they sign in.
What if I belong to multiple Harvest/Forecast accounts, and not all of them have 2FA enabled?
If you belong to multiple accounts and at least one of those accounts requires 2FA, you’ll always need to use 2FA when signing in, regardless of which account you want to access.
What if I see a notice about Basic Authentication?
2FA is incompatible with Basic Authentication, which means any applications or integrations using Basic Auth that are connected to your Harvest account will break when you enable 2FA. If you have any questions about Basic Auth or the implications around this, please get in touch with Harvest Support.
What if I currently use Google Sign-In?
You can use both Google Sign-In and Harvest 2FA when signing in (no need to disable Google SSO to set up 2FA), but you won’t be able to use Google Sign-In in place of Harvest 2FA if you need to connect to Xero. In other words, you'll initially sign in with Google Sign-In, then you'll be asked to enter your Harvest 2FA code.
Can I enable 2FA for myself only?
No. 2FA will need to be enabled account-wide as a sign-in requirement. This means everyone on the account will be prompted to set up 2FA before they can access Harvest again.
What is an authenticator app, and which one should I use?
An authenticator app is an app on your phone, or a feature within some password managers, that regularly generates new verification codes that serve as the second "factor" in two-factor authentication.
We don’t have any specific recommendations, but there are several authenticator apps available, including Google Authenticator, Microsoft Authenticator, Authy, 1Password, and Duo (just to name a few). Note that you can also choose to receive authentication codes by email—you don’t need to use an authenticator app.
How long does a 2FA sign-in code last?
Any given code is valid for 5 minutes. However, most authenticator app codes will change every 30 seconds, and only the current code is valid to use.
What if I lose access to my authenticator app?
You can opt to send a code to your email instead; then, you’ll be able to set up a new authenticator app in Harvest ID > Security if you choose to do so.