Multi-factor authentication (MFA) provides a more secure login process and adds an extra layer of security to your user accounts. Reduce the risk of internal/external fraud, identity theft, and protect your business from attacks that may compromise your data by enabling multi-factor authentication.
Understanding multi-factor authentication (MFA)
Multi-factor authentication is available for all users to set up in their user accounts. Account Owners or Admin users can mandate MFA for all users or by role type, if desired.
Multi-factor authentication is recommended for all users but strongly recommended for Admin users (including Account Owners), as Admins have full access to view and edit all stores within the account. If an Admin user becomes compromised, all account data can be accessed and altered. MFA helps keep your account more secure.
Using multi-factor authentication
When enabled, multi-factor authentication will:
- Require the user to input their existing password when logging in or switching users. Entering a password will trigger a password check and if the password has been compromised, the user will be notified and prompted to change their password.
- Require the user to input a six-digit authentication code generated by an authorized third-party authentication app.
- Inform users of changes to their password, email address, and MFA setup via email notifications sent to the email address associated with their user account (or the Account Owner if an email address has not been added to the account).
As of April 30th, 2021, it is mandatory for all Australia-based Retail POS retailers integrated with Xero to use multi-factor authentication for Admin users to comply with Xero's global security standards.
Setting up multi-factor authentication
To set up multi-factor authentication for a Retail POS account:
- Log in to Retail POS using the account you'll be setting up MFA on.
If you're using the MFA setup wizard on the login page, skip to step 5.
- If you're already logged in to Retail POS, navigate to Setup > Users.
- In the User column, click your username.
- Scroll down to Security and ID > Multi-factor authentication and click Set up multi-factor authentication.
- Click Get started.
- Enter your password and click Next.
- On your phone, download an authentication app like Google Authenticator or Microsoft Authenticator and follow the steps to get set up. In most apps, you'll need to click on the + icon in the top corner > Scan QR code.
- In the authentication app, scan the QR code or enter the text code found in Retail POS.
- In Retail POS, click Next.
- Enter the authentication code displayed in the app, then click Confirm.
-
Print, Copy, or Download your recovery codes and keep them somewhere safe and secure.
Recovery codes are used to access your account if you can’t access your authentication app or code.
- You will receive an email confirming you've enabled multi-factor authentication on your account. Admin users will need to click the Verify email address button in the email. If there is no email address associated with the account, the notification will be sent to the Account Owner.
- In Retail POS, click Done to finalize setup.
Multi-factor authentication will now show as active on the User page with options to Reset or Remove multi-factor authentication if needed.
Mandating multi-factor authentication for users
In Security settings, Account Owners and Admin users can mandate multi-factor authentication for all users or by role type. Account Owners will receive email notifications for any changes made to the authentication settings.
Affected users who have not already set up multi-factor authentication must go through the setup steps on the next login attempt to access Retail POS. Users who are required to use MFA will need an authenticator app on their devices.
- Log in to Retail POS as an Account Owner or Admin user and navigate to Setup > Security.
- To mandate MFA for all users, change the default Authentication method setting by clicking the Username and password with multi-factor authentication option.
- To mandate MFA by role type, scroll down to Role specific settings and click the Authentication method dropdown for the role you want to update > Username and password with multi-factor authentication.
- Click Save changes.
Next time users log in, they’ll be required to set up multi-factor authentication and will not be able to continue until completed. Users will need a supported authenticator app on their devices to setup multi-factor authentication, following the prompts provided.
Logging in with multi-factor authentication
You will be prompted to enter your username, password, and authentication code when logging in to the sign in page or when switching users.
- On the sign in page, enter your Store URL and click Next.
- Enter your Username and Password, then click Sign in.
- Your password will be checked and if it's been compromised, you'll be notified and prompted to change your password immediately or temporarily ignore the notification.
- Open the authentication app on your phone to generate an authentication code.
- In Retail POS, Enter your authentication code generated by the app.
You can chose to have Retail POS Remember me on this device for 30 days. If this box is checked, you'll still need to enter your username and password when logging in. After the 30 day period, you'll need to enter an authentication code again. This option is not available on Lightspeed apps for mobile/tablet.
- Click Sign in.
If you have lost or changed your device or can no longer access the authentication app registered to your Retail POS account, you'll need to complete an account recovery using the steps below.
Recovering accounts with multi-factor authentication
You can recover an account with multi-factor authentication enabled using the recovery codes you saved during the setup process. There are 12 codes in total and each can be used once. When a code is used, it will no longer be valid and you'll need to use another code from the list next time.
To recover an account using a recovery code:
- On the sign in page, enter your Store URL and click Next.
- Enter your Username and Password, then click Sign in.
- In the authentication modal, click I can't access my authenticator app.
- Copy an unused recovery code from your previously saved list and enter it in the Recovery code field.
- Click Sign in.
- Follow the steps in the section below to reset multi-factor authentication on your account.
If you've lost access to your recovery codes, you'll need to contact an Admin or Account Owner to reset or remove multi-factor authentication from your account. They will need to login to their account and follow the steps in the sections below.
If you've lost access to your recovery codes and you're an Account Owner, you'll need to contact Retail Support using the registered Account Owner email address. We can only proceed with account recovery requests approved using the Account Owner account registered email address.
Resetting multi-factor authentication
To reset multi-factor authentication after recovering an account:
- Navigate to Setup > Users and click the user.
- Scroll down to Security and ID > Multi-factor authentication.
- Click Reset multi-factor authentication setup.
- Click Get started.
- Enter your password and click Next.
- From your authentication app, scan the QR code or enter the text code found in Retail POS. Your authentication app may show a warning and ask if you would like to Continue. This will reset the connection and generate a new code.
- In Retail POS, click Next.
- Enter the new authentication code displayed in the app, then click Confirm.
- Save the new recovery codes and keep them somewhere safe and secure.
- You will receive an email confirming the changes made to multi-factor authentication on your account. If there is no email address associated with the account, the notification will be sent to the Account Owner.
Removing multi-factor authentication
To remove multi-factor authentication from an account:
- Navigate to Setup > Users and click the user.
- Scroll down to Security and ID > Multi-factor authentication.
- Click Remove multi-factor authentication.
- In the You are about to remove multi-factor authentication modal, click Next.
- Enter your password, then click Remove multi-factor authentication.
- The user will receive an email confirming the changes made to multi-factor authentication on their account. If there is no email address associated with the account, the notification will be sent to the Account Owner.
Multi-factor authentication can be set up again by following the steps for Setting up multi-factor authentication above.
MFA troubleshooting and FAQ
-
Error: Invalid authentication code entered. Please try again.
If the code entered during the Enter your authentication code step is not being recognized by Retail POS, try these troubleshooting steps:
Generate a new code
On the authentication app, wait until the authentication code has timed out and a new code is generated.
You may need to quit and reopen your authentication app.
When ready, input the new code during the Enter your authentication code step.
Correct the timing sync
If generating a new code is unsuccessful, the timing sync between your app and Retail POS may be uncalibrated.
First, navigate to your Date and time settings on your phone and set to Automatic or Network. Then, if you're using Google Authenticator, go to the main menu and click Settings > Time correction for codes > Sync now.
The sync will only affect the internal time of your authentication app, not your device’s Date and time settings.
Reset multi-factor authentication
If the multi-factor authentication on your account has recently been reset, you'll have to set up MFA on your account again and complete steps in the section Resetting multi-factor authentication above. Afterwards, quit and reopen your authentication app to generate a new code.
If you're having trouble accessing your account, you may need to follow the steps in Recovering accounts and Resetting multi-factor authentication sections above.
-
Error: Unable to change users or Looks like we're having some server issues
For users that haven't logged in since multi-factor authentication was released, old versions of the Retail POS login page saved in your browsers' cache may be causing connection issues.
To fix this, navigate to your browsers' cache settings and clear the cache. If you're using Google Chrome:
- In Chrome, click the 3 dots at the top right > Clear browsing data.
- Select a Time Range from the dropdown and check Cookies and other site data and Cached images and files.
- Click Clear data.
Once the cache has been cleared, navigate back to the sign in page and log in as per usual.
-
Admins can enable multi-factor authentication mandates for other users without having MFA set up on their own accounts. Admins can set up role-specific MFA mandates according to business needs.
-
If an Account Owner or Admin has mandated multi-factor authentication as the default authentication method or set role specific settings, affected users will be required to set up MFA for their account the next time they log in. They will not be able to access Retail POS until set up is complete.
Users must have an authenticator app on their device to log in using multi-factor authentication.
-
To use multi-factor authentication to log in to Retail POS, you'll need to have an authenticator app set up on your personal device. The app will give you a unique code to enter in Retail POS. Optionally, you can chose to Remember me on this device for 30 days. After the 30 day period, you'll need to enter a new authentication code.