Set up 2-step verification

2-step verification adds a layer of security to Sage Intacct accounts. When a user logs in, an additional verification step is required. They will receive a one-time code via their preferred method: an authenticator app, text message, or phone call. They enter this code to complete the login process.

Before you begin

Tell users:

• You're setting up 2-step verification (so they are not be surprised the next time they log in).
• If they enter an incorrect verification code, it counts as a failed login. If they enter an incorrect code several times, they are locked out of Intacct.

If a user is locked out, they can reset their own password.

Set up 2-step verification for your company (for admins)

The next time a user attempts to log in, Intacct will walk them through the 2-step verification setup. If they routinely log in from a computer that only they use, they can identify it as a trusted device and skip verification in the future. These users will only need to enter a verification code if they forgot their password, clear their browser cache, or when an admin requires them to change their password.

Users will receive an email notification when 2-step verification has been enabled for their account.

1. Go to Company > Setup > Configuration > Company.
2. On the Company information page, select Edit.
3. Select the Security tab.
Steps 4 and 5 below are only available in non-production companies, such as demo companies.
4. In the Password section, select the Enable 2-step verification checkbox.
5. Choose who must enter a verification code when logging in:
   • Selected users
   • All users
6. For tightest security, select Do not allow trusted devices to require users to enter a verification code via an authenticator app each time they log in. Users cannot identify trusted devices to skip verification. This verification cannot be skipped in the future by identifying trusted devices.
   You can adjust this setting on a user-by-user basis. On the User Information page (Company > Admin >Users), for trusted devices select to either Allow trusted devices or Do not allow devices for a selected user.
   What's a trusted device?

   Trusted devices are devices like a laptop or mobile phone where you can save your login information to log in automatically without needing to enter your username, password, or a verification code.

7. Select Save.
   After you select Save on this page, a pop-up appears to reset users' passwords. Select Yes to send users an email with a temporary password and a link to a page where they can create a new password. Select No for users to request a new password on their own the next time they go to log in.

Track text and voice message verifications

Admins can view login attempts and text and voice messages sent to users in the Access log.

1. Go to Company > Admin > History and reports > User access reports.
2. Select filters.
3. Select View.

First-time logging in with 2-step verification

After you turn on 2-step verification, the affected users will automatically go through the setup process the next time they log in.

1. On the login page, the user enters their information and selects Log in.
2. The user will go through the setup flow where they will choose a primary method of receiving a verification code (by authenticator app, text, or phone call).
   About the methods

   Method	Description
   Authenticator app for mobile	An authenticator application produces a verification code needed for each login. As a one-time setup, users establish a connection to Intacct by using their device to scan the QR code on the page. The app will produce a code which they'll enter in the Code field. The authenticator app provides the most secure method of receiving a verification code. For every other login, when the user is prompted to enter a code, they can open their authenticator app and enter the code it provides. Intacct specifically supports the following authenticator apps: iPhone: Google Authenticator (Apple App Store) Android: Google Authenticator (Google Play Store) Blackberry: Google Authenticator (m.google.com/authenticator) Windows: Microsoft Authenticator (Windows Phone Store)
   Text	We text verification codes to your mobile.
   Phone call	We send verification codes in an automated phone call to your mobile.

   No charges will be passed on by Intacct for initiating calls or text messages related to 2-step verification. If you are charged for incoming calls or texts, consider selecting the authenticator app as your primary contact method.
3. After the user selects their method, a code is sent. The user enters the code and selects Verify.
4. Optionally, the user can then set up a backup method in case that they lose access to their primary. Or, they can select Skip to login.
5. The user logs in as usual.

After the initial setup, the user can edit a primary method, and add or remove a backup on My preferences. Select your login name at the top of any page and select My preferences.

The admin can also manage the user's primary method and backup (and any trusted devices) from the User preferences page. Go to Company > Admin > Users, roles, and groups > Users, and then select Preferences for the user.

Enable SSO and 2-step verification

You can set up both SSO and 2-step verification for your company for extra security. If your company is already enabled for SSO, users who access Intacct via their SSO identity provider will bypass 2-step verification. However, if a user is not configured for SSO and is logging in directly to Intacct, they will be forced to use 2-step verification.

Enabling both features gives you an extra layer of protection for your account. For example, if your SSO system was temporarily unavailable, your Intacct admin might need to log in to Intacct, and to prove their identity, would go through 2-step verification.