Multi-Factor Authentication (MFA) is a multi-step account login process that requires users to enter information beyond a password (e.g., a one-time-use code from an authentication app or a hardware key). 

Since it greatly enhances the security of your account, Multi-Factor Authentication is required if you are using RMM features (and strongly recommended if you are only using PSA). By default, Syncro requires Users to enter a new code every 30 days, or on new browser sessions.

Global Admins enable MFA for the entire Syncro account. They can also check which Users have MFA enabled, change the MFA reauthorization time setting, and help restore access for Users should they get locked out. Every User sets up their own MFA, and can edit or disable their MFA settings.

Notes: 

• Syncro does not generate or save passwords and/or credentials. Use strong passwords and/or a password manager.
• MFA is formerly known as Two Factor Authentication (2FA), so you may see that term/acronym too. 

Enable MFA on a Syncro Account

Note: Enabling MFA on a Syncro account will prompt all Users to set up MFA on their next login to their account.

Global Admins can enable MFA for the entire Syncro account from the App Center:

1. Navigate to Admin > Integrations - App Center. 
2. Click the “Security” link to filter the list, then click the MFA tile:

The Multi-Factor Authentication Settings page displays:

3. Click Enable User MFA, then OK. 

Set Up MFA as a Syncro User

Regardless of whether Global Admins have enabled MFA on the entire Syncro account, individual Users can follow these steps to set up MFA:

1. Click your name in the upper right of the Syncro header to open your Syncro User Profile.
2. Select the "Profile/Password" option. Syncro displays the Password / Login-Pin / API Key page:
3. At the bottom of the page, click Enable Multi-factor Authentication and OK to confirm:

4. On the MFA page that appears, click Set Up MFA and Access Your Account:
   
5. If you don't have one already, follow the instructions to download and install an MFA app (such as Google Authenticator or Authy) on your device, then open it. 
6. Scan the QR code to add the Syncro account to your device:
   
7. Enter the code shown in your authenticator app, then click Enable Multi-factor Authentication:

8. Enter a code on the next page: 
   
   IMPORTANT: Check your authenticator app in case the code changed, enter the code, and click Authenticate. The Congratulations page appears:

9. Click Download Recovery Codes and store the downloaded file somewhere safe. You'll need these to access your Syncro account if you lose your device and cannot access MFA codes. Click Next:

10. Set up a mobile recovery option. While you can technically skip it, Syncro strongly recommends doing this. Enter your mobile phone number and click Confirm Recovery Mobile.
11. Enter the code that was sent to your device via SMS, then click Confirm:
    

MFA is now enabled. Syncro sends an email to let you know:

Check Whether MFA Is Enabled

As a Global Admin, you can see which Users have enabled MFA. 

Navigate to Admin > Syncro Administration - Users. The Users table displays. Any User who has NOT enabled MFA has a red X in their MFA column:

If you're an Admin user logged into your own Syncro account and MFA is not enabled, you'll see an “Enable” link:

Clicking "Enable" displays the Password / Login-Pin / API Key page, from which you can Set Up MFA as a Syncro User:

Once MFA is enabled, you'll see a green checkmark:

Edit or Disable MFA Settings

Syncro Users can edit or disable their individual MFA settings. To do so, follow these steps:

1. Click your name in the upper right of the Syncro header to open your Syncro User Profile.
2. Select the "Profile/Password" option. Syncro displays the Password / Login-Pin / API Key page.
3. At the bottom of the page that displays, click Multi-Factor Authentication Settings to edit settings, or Disable Multi-Factor Authentication to disable it: 
   
4. In the case of edits, the page that displays allows you to Download Recovery Codes, Set your Recovery SMS Number, or Disable MFA:
   
   Note: When you disable MFA, Syncro sends you (and your Admin) an email notifying you of the change. 

Change the MFA Reauthorization Time Setting

By default, all Users will be prompted to re-enter an MFA code every 30 days, on all devices and browsers.

Once the time setting elapses, users must enter an MFA code from their authenticator app (regardless of their activity or inactivity). Even if they leave browser tabs open with sessions running, Syncro checks on every web request.

To make this check more frequent, Global Admins can follow these steps:

1. Navigate to Admin > Syncro Administration - Login Settings:
   
   
   The Login Settings page displays:
   
   Tip: This page is also where you can enable Single Sign-On and Customize Employee Login Settings.
2. Use the MFA Time Setting dropdown to select your desired setting. Options range from 1 hour to 30 days.
3. Click Save.

If A User is Locked Out

If someone gets locked out, Global Admins can "unlock" a User's account:

1. Navigate to Admin > Syncro Administration - Users. The Users table displays.
2. For the User who is locked out, click Password / MFA. (Alternatively you could click Details, then Change Password / MFA in the upper right corner.) 
3. When prompted, enter your own password and click Enter to gain access to the edit page:
   
4. At the bottom of the page, click Disable Multi-factor Authentication:
   
5. In the popup that displays, click OK. 

Notes: 

• By confirming, you are resetting MFA on this User's account. The User will be logged out of all currently open sessions, and will need to reconfigure MFA before being able to access their account again.
• Admins will receive an email notifying them that MFA is no longer set:
  
• The User also receives an email notification:
  

If You Receive “Attempt Failed” Errors

If you repeatedly encounter an “Attempt Failed” error message when entering your MFA code, it's likely that one of the following is the cause:

1. You have entered an incorrect code (possibly using a different MFA Authenticator app than was originally set up). Verify that the app generating the code, and the code you're entering, are both correct.
2. A time de-sync from the device running the Authenticator app is causing incorrect codes to be shown. To resolve this issue, follow these steps:
   1. Check the device’s time for accuracy. Even a one or two minute discrepancy can cause issues.
   2. Power the device off, then turn it back on (simply restarting doesn’t always update the time correctly).
   3. Check the device’s Time Settings to ensure it’s in the correct time zone.
   4. Attempt to log in once more, using the MFA codes from your Authenticator app. Since the device time is now verified to be accurate, it should work as expected and log you in.