Two-factor authentication (2FA) for accounts integrated with Xero
Signing in with two-factor authentication is required for all Harvest accounts that integrate with Xero, because of Xero’s security requirements.
This feature is currently available only to Harvest accounts using the Xero integration. The option to require 2FA in your account will only be visible once you start the Xero connection process, or if your account is already connected to Xero.
Two-factor authentication (2FA), sometimes referred to as two-step verification or dual-factor authentication, is a security process that requires two different authentication factors to sign in to an account. 2FA better protects both a person's credentials and the resources they can access. In this case, in addition to your password or Google Sign-In, you’ll need to use a code (either from an authenticator app or sent to your email) to sign in to Harvest, wherever you use it—including the web app, mobile apps, and desktop apps.
This article focuses on enabling, disabling, and troubleshooting two-factor authentication. We also have a 2FA FAQs article that might help answer other questions around 2FA.
Enabling two-factor authentication
Requiring two-factor authentication for everyone in your account
Only Administrators can set a Harvest account to require 2FA.
If your account is already connected to Xero, the option to turn on the 2FA requirement is already available in Settings. If you’re setting up a new Xero connection, you won’t be able to require 2FA ahead of time; instead, you’ll be directed to do that during the Xero connection process.
Enabling 2FA in a Harvest account already connected to Xero
- Go to Settings.
- Under Preferences, click Edit preferences.
In the Sign in security section, check the box next to Require two-factor authentication (2FA) for this account.
- When you save this setting, everyone will be immediately signed out and prompted to enable 2FA before they can access their account again.
- Click Save preferences.
Connecting to Xero for the first time and enabling 2FA
- In Harvest, go to your Settings.
- Scroll down to Integrations and click Xero.
- You won’t see this option if your Invoices module isn’t enabled.
- Xero requires your Harvest account to have two-factor authentication (an additional security measure) enabled before it will let you connect. You will set this up in the next step. You can find more information in our article on two-factor authentication.
- On the Edit preferences page you’re taken to, check the box for Require two-factor authentication… in the Sign in security section, then click Save preferences.
- You’ll then be taken to the Security section of your Harvest ID. Before moving on to the next step, set up two-factor authentication for your individual profile here. Everyone else in your company’s account will also need to set this up for themselves the next time they access the account. You can find more details in our article on two-factor authentication.
- Once you’ve signed back in to your account, you’ll be brought back to Settings in Harvest.
- In Settings, scroll down to Integrations and click the link to connect to Xero once more. You’ll be taken to Xero.
- Once signed in to Xero, select which organization Harvest should copy invoices to and click Allow access. You’ll be redirected back to Harvest.
- In Harvest, select your default revenue and payment accounts for Xero (if you opt in to copy invoice payments from Harvest to Xero), as well as your tracking category setting.
- Click Save.
Setting up two-factor authentication for your profile
You can only set up 2FA for your own profile once the requirement has been enabled for the whole Harvest account, as described in the previous section.
Regardless of permissions, everyone in an account where 2FA is required will be signed out and must complete the 2FA setup for their own profile before they can continue using Harvest (and any connected Forecast account).
If you’re the Administrator setting up a new Xero connection, you must complete your own 2FA setup during the Xero connection process, before continuing. Everyone else in the account can click the link in the email they’ll receive or go directly to https://id.getharvest.com/security.
- In the Two-factor authentication section, click the green Set up two-factor authentication button.
- Scan the image with your preferred authenticator app, or request a code via email.
- Once you’ve received the code (in your authenticator app or email), enter that code in the designated field.
After you’ve entered your code, click Complete set up.
- You’ll see a confirmation message at the top of Harvest ID letting you know two-factor authentication has been enabled. You’ll now be able to access your account again.
Disabling two-factor authentication
Disabling the two-factor authentication requirement for everyone in your account
Only Administrators can remove the 2FA requirement, and they can only do so if the account is no longer connected to Xero. All Administrators on the account will receive an email notifying them that the requirement has been disabled.
- Disconnect from Xero.
- Go to your Settings.
- Under Preferences, click Edit preferences.
- In the Sign in security section, uncheck the box next to Require two-factor authentication (2FA) for this account.
- Click Save preferences.
This will turn off the requirement for 2FA, but individuals who want to disable sign-in with 2FA for their own profile will need to do that manually following the steps below.
Turning off two-factor authentication for your profile
- Head to Harvest ID (https://id.getharvest.com).
- Select Security in the top menu.
- In the Two-factor authentication section, click the red Disable button.
On the next screen, enter your Harvest ID password and click Confirm password.
- You’ll see a confirmation message at the top of Harvest ID letting you know two-factor authentication has been disabled.
- We recommend then deleting Harvest from your authenticator app, as you’ll need to scan a new image if you enable 2FA again later on.
If you’ve forgotten your password, you can reset it with the steps in our article on changing your password.
If you set up your 2FA to use an authenticator app and have lost access to that authenticator app, you can choose to send a code to your email instead. You can then continue using email codes whenever you sign in, or you can set up a new authenticator app. To add a new authenticator app, go to the Security section of https://id.getharvest.com, click the green Review two-factor authentication button, and scan the image with your app.
If you set up your 2FA to use email codes only and have lost access to the email address you use to sign in to Harvest, please reach out to us at firstname.lastname@example.org.
If you can’t sign in to the Mac or Windows desktop app, you’ll need to first update to the latest version of the app, which has 2FA capability.