Enabling two-factor authentication (2FA) in Harvest
Harvest supports single sign-on (SSO) through Google and two-factor authentication (2FA). This article covers how to enable 2FA. For information about SSO and Google sign in options, see our article on signing in with Google.
Two-factor authentication is available for all Harvest accounts and is required for Harvest accounts using the Xero integration, due to Xero's security requirements.
Two-factor authentication (2FA), sometimes referred to as two-step verification or dual-factor authentication, is a security process that requires two different authentication factors to sign in to an account. 2FA better protects both a person's credentials and the resources they can access. In this case, in addition to your password or Google sign-in, you’ll need to use a code (either from an authenticator app or sent to your email) to sign in to Harvest, wherever you use it—including the web app, mobile apps, and desktop apps.
This article focuses on enabling, disabling, and troubleshooting two-factor authentication. We also have a 2FA FAQs article that might help answer other questions around 2FA.
Enabling two-factor authentication
When the option to require 2FA is enabled, everyone who's currently signed in (including you) will be signed out and brought to Harvest ID to enable 2FA. Anyone who's not signed in will be prompted to set it up the next time they sign in.
Everyone on the account will receive an email that 2FA is now required for the account as soon as the setting is saved, but please note that your team might be affected before they have a chance to read that email. We recommend communicating some of these details to your team before enabling the setting
Requiring two-factor authentication for everyone in your account
Only Administrators can set a Harvest account to require 2FA.
Once 2FA is required, everyone in the account will be signed out and must complete 2FA setup for their own profile before they can continue using Harvest (and any connected Forecast account).
Enable two-factor authentication in your Harvest account
- In Harvest, go to your Settings.
- Click Sign in security in the left sidebar.
- Check the box for Require two-factor authentication for this account.
- Click Save settings.
You’ll then be taken to the Security section of your Harvest ID where you'll set up two-factor authentication for your individual profile. Everyone else in your company’s account will also need to set this up for themselves the next time they access the account.
Once you’ve signed back in to your account, you’ll be brought back to Settings in Harvest.
Setting up two-factor authentication for your profile
You can only set up 2FA for your own profile once the requirement has been enabled for the whole Harvest account, as described in the previous section.
Regardless of permissions, everyone in an account where 2FA is required will be signed out and must complete the 2FA setup for their own profile before they can continue using Harvest (and any connected Forecast account).
If you’re the Administrator setting up a new Xero connection, you must complete your own 2FA setup during the Xero connection process, before continuing. Everyone else in the account can click the link in the email they’ll receive or go directly to https://id.getharvest.com/security.
- Sign into Harvest at https://id.getharvest.com.
- Scan the QR image with your preferred authenticator app, or request a code via email.
- Once you’ve received the code (in your authenticator app or email), enter that code in the designated field.
-
After you’ve entered your code, click Complete set up.
- You’ll see a confirmation message at the top of Harvest ID letting you know two-factor authentication has been enabled. You’ll now be able to access your account again.
Disabling two-factor authentication
Disabling the two-factor authentication requirement for everyone in your account
Only Administrators can remove the 2FA requirement. All Administrators on the account will receive an email notifying them that the requirement has been disabled.
If your account is connected to Xero, you'll first need to disconnect from Xero before you can disable two-factor authentication.
- Go to your Settings.
- In the Preferences tab, click Edit preferences.
- In the Sign in security section, uncheck the box next to Require two-factor authentication (2FA) for this account.
- Click Save preferences.
This will turn off the requirement for 2FA, but individuals who want to disable sign-in with 2FA for their own profile will need to do that manually following the steps below.
Turning off two-factor authentication for your profile
You’ll only be able to turn 2FA off for yourself if an Administrator has removed the 2FA requirement for the whole account.
- Head to Harvest ID (https://id.getharvest.com).
- Select Security in the top menu.
- In the Two-factor authentication section, click the red Disable button.
-
On the next screen, enter your Harvest ID password and click Confirm password.
- You’ll see a confirmation message at the top of Harvest ID letting you know two-factor authentication has been disabled.
- We recommend then deleting Harvest from your authenticator app, as you’ll need to scan a new image if you enable 2FA again later on.
Troubleshooting sign in issues with 2FA
Forgotten password
If you’ve forgotten your password, you can reset it with the steps in our article on changing your password.
Lost access to the authenticator app
If you set up your 2FA to use an authenticator app and have lost access to that authenticator app, you can choose to send a code to your email instead. You can then continue using email codes whenever you sign in, or you can set up a new authenticator app.
To add a new authenticator app, go to the Security section of https://id.getharvest.com, click the green Review two-factor authentication button, and scan the image with your app.
Lost access to your email address
If you set up your 2FA to use email codes only and have lost access to the email address you use to sign in to Harvest, please reach out to us at support@harvestapp.com.
Can't sign in to desktop apps
If you can’t sign in to the Mac or Windows desktop app, you’ll need to first update to the latest version of the app, which has 2FA capability.
Other questions
We have answers to some frequently asked questions, including how 2FA works with Google Sign-In or if you belong to multiple Harvest/Forecast accounts, in our 2FA FAQs article.