WFM BR_Main Logo
2024-05-07 12:00:00

Mandatory multi-factor authentication is here - Learn how to set up MFA

To keep your WorkflowMax account secure (and comply with Xero's API requirements), Multi-Factor Authentication (MFA) will be mandatory from 15 May 2025 for all WorkflowMax users.

What is multi-factor authentication (MFA)?

Multi-factor authentication (MFA) is an additional way of checking that it’s really you when you log in. It’s made up of two parts:

Something you know:

This is your login details - your email address and password. If someone gets hold of your password, they could access your account without you knowing. MFA helps stop that from happening, by adding a second layer.

Something you have:

A code from your authenticator — this could be on your phone, browser, or computer. This second layer of security keeps your account safe, even if someone else knows your password.

 

Image-2-MFA-2FA

How does MFA work?

How does MFA work

What is MFA, and why does it matter?

MFA is an extra layer of security for your account. Along with your password, you’ll enter a one-time code from an authentication app on your phone.

This makes it much harder for anyone else to access your account, reducing the risk of fraud and cyber threats by 99.9%.

Many governments worldwide recommend MFA for protecting financial and business data - and now, Xero requires it for any 3rd party application integrated with their API.

MFA ROLLOUT ACCOUNT HOLDERS - V2 - 1ST APRIL 2025 (2)
MFA ROLLOUT ACCOUNT HOLDERS - V2 - 1ST APRIL 2025 (3)

What is changing to your WorkflowMax account?

From the 15th May 2025 onward, Multi-Factor Authentication (MFA) will be required for all WorkflowMax accounts that are integrated with Xero.

To prepare for this, we will gradually activate MFA on accounts that have not already enabled it manually between 20 April and 15 May 2025. This applies to all WorkflowMax accounts that are connected to Xero. Once MFA is activated, users will need to enter a one-time code from an authenticator app along with their password to sign in.

To avoid login issues, we recommend setting up MFA early and informing your team in advance.

image-3-databreach

Did you know?

From the 15th May 2025 onward, Multi-Factor Authentication (MFA) will be required for all WorkflowMax accounts that are integrated with Xero.

To prepare for this, we will gradually activate MFA on accounts that have not already enabled it manually between 20 April and 15 May 2025. This applies to all WorkflowMax accounts that are connected to Xero. Once MFA is activated, users will need to enter a one-time code from an authenticator app along with their password to sign in.

To avoid login issues, we recommend setting up MFA early and informing your team in advance.

image-3-databreach

Did you know?

Enabling multi-factor authentication (MFA) is one of the simplest and most effective ways to protect your account.

  • 80% of data breaches could be prevented by using MFA. (Source: DBIR, 2020)
  • 67% of breaches are caused by stolen or weak passwords.(Source: 2020 Verizon Data Breach Investigations Report.)
  • MFA blocks over 99% of these attacks by adding a second layer of security.
  • It’s the easiest step you can take to safeguard your WorkflowMax account — and it will be now mandatory.

 

Types of authenticator applications

You'll need to use an authenticator app that generates a time-based one-time passcode

MFA-APPS

Mobile app

Using an app on your phone is the easiest and most popular way to get your MFA code.

We recommend Google Authenticator, Microsoft Authenticator or Twilio Authy — all are free and work well with WorkflowMax. You can find them in the Apple App Store or Google Play Store. If you already use an authenticator app (except Xero Verify), you can use it here too.

 

No smartphone or tablet?

If you don’t have a smartphone or tablet, you can use desktop applications, such as WinAuth or browser extensions, such as LastPass or 1Password.

Note: Xero Verify is not compatible with WorkflowMax.

 

To keep your WorkflowMax account secure (and comply with Xero's API requirements), Multi-Factor Authentication (MFA) will be mandatory from 15 May 2025 for all WorkflowMax users.
To keep your WorkflowMax account secure (and comply with Xero's API requirements), Multi-Factor Authentication (MFA) will be mandatory from 15 May 2025 for all WorkflowMax users.

How to set up MFA in WorkflowMax

To ensure a smooth transition, we have developed a comprehensive rollout plan for your organisation below.

Step 1. Download an authenticator app (Google Authenticator or similar)
If you don’t have an authenticator app that you’re using already, download one from the Apple or Google App Stores. If you already use an authenticator app (except Xero Verify), you can use it here too.

Apple App Store

Google Play App Store

 

image-4-download-app

Step 1: Inform your team

Let your team know that MFA will be required to access WorkflowMax and explain:

  1. Why MFA is important – It adds an extra layer of security and protects accounts from unauthorised access.
  2. How it will change the login process – Users will need to enter a one-time code from an authenticator app in addition to their password.
  3. What they need to do – Set up MFA (step 3).
    💡 Use our pre-written email template to notify your team. Email template.

Step 2: Enforce MFA for users in your account

We recommend setting up MFA early to give your team time to adjust and troubleshoot any issues before the final deadline. Account holders can enable this by following these steps:

  1. Go to Organisation Settings in your WorkflowMax account.
  2. Under 'Enforce MFA for All Users', select 'Enabled'.
  3. Communicate to your team that MFA will be turned on for all users ideally before 20 April 2025, allowing time for support if needed.
Image-gui

Step 3: Ensure your team sets up their MFA to login

Once MFA is enabled, any users who haven’t set it up will be prompted to do so the next time they log in.

Here’s what they’ll need to do:

  • Download an authenticator app on your smartphone (such as Google Authenticator or Microsoft Authenticator).
  • Open the app and scan the QR code provided in WorkflowMax.
  • Enter a randomly generated six-digit code.
  • Configure backup security questions for recovery.

Skip Option: Users can skip the prompt twice before they’ll need to complete their MFA setup. *This feature will be available in early April 2025.*

Direct them to our resources for guidance:

step-2-login-workfklowmax

Step 2: Sync the app with WorkflowMax
Next, go to your WorkflowMax profile settings, scan the QR code with your app and follow the prompts. For full instructions, take a look at the link below (or watch the videos listed below).

Steps for setting up multi-factor authentication

 

Step 3: Logging in to WorkflowMax
Enter your email and password as usual, then open the app, get the latest code and enter it to complete your login.

Login to WorkflowMax now

 

 

step-3-code-in-phone-workfklowmax

Step-by-step guides and videos

playvideo
Watch our quick 1-minute how-to video.   
ChatGPT Image Apr 19, 2025, 03_06_17 PM
Follow our step-by-step guide: help article.
paso3
Take our course for a full walkthrough.              

MOBILE APPS AND MFA FREQUENCY

MFA for Mobile Application Users:

Users of the Mobile Application (iOS/Android) will also be required to enable/setup MFA on their account.|

These users can enable it by signing into the WorkflowMax Web Application

https://app.workflowmax2.com

MFA Frequency:

When enabled, users will need to enter their MFA code every 16 hours by default. The web app also provides the option to

"Remember Me" to reduce this frequency to every 7 days - we recommend only selecting this if you are using a trusted device.

FAQ

Below are answers to the most common MFA issues, with simple steps to get things sorted quickly.

Can we share a login between team members?

No — every user needs their own login. MFA is tied to a specific account and device, so sharing a login just won’t work (and it’s not secure!).

Do we have to use MFA, or can we turn it off?

MFA is mandatory for all WorkflowMax users who are connected with Xero from 15 May. If this isn’t enabled, your Xero connection will be turned off. MFA will become compulsory to all users on a later date. We’ll be annoucing these dates in due course. After that, you won’t be able to log in without it.

I don’t have a smartphone — can I still use MFA?

No problem! You can use a tablet instead of a smartphone, or browser extension like 1Password, or a desktop app like WinAuth. Head to the “Types of authenticator apps” section in this course to see what might suit you best.

I can’t install software — can I still set up MFA?

That’s okay — you don’t need to install anything if you use a browser-based authenticator or already have a password manager with built-in MFA (like 1Password or Bitwarden). Just check if it includes an authenticator option.

I got a new phone or can’t access my authenticator — what do I do?

If you still have access to your backup questions, you can use them to log in. This will give you temporary access to your account.

Once you're in, click your initials in the top right corner and select Profile. You’ll see an option to change your MFA device — click this and follow the steps to set it up again on your new phone or authenticator.

Why is my app asking for a QR code again?

This can happen if your app data was cleared, or if you deleted and reinstalled the app.

If you can, log in using your backup questions to get temporary access.

Once you're logged in, click your initials in the top right corner and go to Profile. You'll see an option to change your MFA device — click that to restart the setup and scan the QR code again.


 

A staff member left — how can we reset their MFA?

Your Account Holder will be able to reset the MFA setup for this login.

If your account holder isn’t available, contact our support team and we can help the new staff member reset the MFA settings on the account.

What if I forget my backup questions?

Your Account holder will be able to reset the MFA setup for your login.

If you are the account holder or they aren’t available, contact our support team and we can help you reset the MFA settings on your account.

I'm getting a 'something went wrong' message during setup

This means that the app didn’t link correctly with your login, or the setup took to long.

Delete the account from your app and begin the setup process again. If you continue to have trouble, please contact WorkflowMax support and let us know what you have tried.

Invalid authentication code error

This error can occur when the date/time on your mobile device is out of sync with the device you’re trying to log into WorkflowMax on. To resolve this, ensure the date and time on your devices are set to automatic.

Need support?

Click the 'Contact us' button on your WorkflowMax dashboard. Our team is here to help you every step of the way. 
WFM BR_Main Logo-1