Account-wide two-factor authentication is required for all Harvest accounts connected to Xero. We have answers below to some questions you might have around what this means and how it affects you and your teammates.

You can learn more about what 2FA is and how to enable and disable it in our general 2FA article. If you have any other questions, please use the Contact Us button at the top right.

Which accounts have this feature?

For now, 2FA is only available for Harvest accounts that are currently connected to Xero or want to set up a new Xero connection.

Why does my account need to enable 2FA?

As of December 1, 2022, any Harvest account that uses the Xero integration is required to use 2FA for signing in to Harvest. This is a new requirement from Xero and offers a higher level of account security.

Why has my Xero integration been disconnected?

On December 1, 2022, if you hadn't taken this step, your Harvest account was disconnected from Xero in order to comply with their security requirement. You'll need to go to Settings in Harvest to reconnect and, as part of the process, enable 2FA.

Note that you'll need to manually copy any invoices and payments that weren't automatically copied while the integration was disconnected. To do that, click into an invoice, click the Actions dropdown, and select Copy to Xero.

What will happen when I enable 2FA?

Once two-factor authentication is enabled, every person in your Harvest account will need both a password and a generated code (sent by email or authenticator app) to sign in to Harvest. When an Administrator first enables 2FA for the whole account, everyone on the account (including that Administrator) will be signed out of Harvest. They’ll be asked to set up 2FA for their profile the next time they sign in.

Do I need to take any other actions?

If you use our iPhone or Android mobile app, or the Mac or Windows desktop app, you'll need to update to the latest version, which includes 2FA capabilities.

What if I belong to multiple Harvest/Forecast accounts, and not all of them have 2FA enabled?

If you belong to multiple accounts and at least one of those accounts requires 2FA, you’ll always need to use 2FA when signing in, regardless of which account you want to access. 

What if I currently use Google Sign-In? 

You can use both Google Sign-In and Harvest 2FA when signing in (no need to disable Google SSO to set up 2FA), but you won’t be able to use Google Sign-In in place of Harvest 2FA if you need to connect to Xero. In other words, you'll initially sign in with Google Sign-In, then you'll be asked to enter your Harvest 2FA code.

Can I enable 2FA for myself only? 

No. 2FA will need to be enabled account-wide as a sign-in requirement. This means everyone on the account will be prompted to set up 2FA before they can access Harvest again.

What is an authenticator app, and which one should I use?

An authenticator app is an app on your phone, or a feature within some password managers, that regularly generates new verification codes that serve as the second "factor" in two-factor authentication.

We don’t have any specific recommendations, but there are several authenticator apps available, including Google Authenticator, Microsoft Authenticator, Authy, 1Password, and Duo (just to name a few). Note that you can also choose to receive authentication codes by email—you don’t need to use an authenticator app.

How long does a 2FA sign-in code last? 

Any given code is valid for 5 minutes. However, most authenticator app codes will change every 30 seconds, and only the current code is valid to use.

What if I lose access to my authenticator app?

You can opt to send a code to your email instead; then, you’ll be able to set up a new authenticator app in Harvest ID > Security if you choose to do so.