2-Step Login

How do I review and manage 2-Step Login settings in BambooHR?

Purpose: We know that your BambooHR account stores sensitive employee information for your company, and we want to make sure you know your data is secure. With 2-Step Login being required, your employees will need to enter a passcode each time they log in to their account or choose Trust this device (for six months). This help guide will walk you through how to manage this requirement in BambooHR.

IMPORTANT: Starting August 28, 2024, we will be rolling out the 2-Step Login requirement to ALL customers. Once rolled out to your account, employees will have 30 days to set up their preferred authentication method

Please refer to this table to understand how this requirement impacts SSO, SAML, and Google/Microsoft Login users. 


2-Step Login requirement

2-Step Login

Data security is our top priority at BambooHR. With that said, we take the privacy and security of your account very seriously. As a result, we require 2-Step Login for all users. Your account will be set to Required For All, and you will not be able to change this setting. 

However, there is one exception to this, and please review the Third-Party Login Users section below to understand the exception.

Third-party login users

Do your employees use a login method other than 2-Step Login? Please review the table below to learn if your employees need to set up 2-Step Login.

Login Setup 2-Step Login Required?
BambooHR username and password  YES
SAML, SSO, Google/Microsoft Login without BambooHR username and password login NO
SAML, SSO, Google/Microsoft Login with BambooHR username and password login YES (Only users logging in with their username and password will receive a prompt to provide an authentication code.)

Did you know there is a report that tells you who has enabled 2-Step Login and what their verification methods are? Click here to learn more!


FAQ

  1. Will your 2-Step Login requirement override our employees' third-party MFA login?
    • If ALL users in your account are already using a third-party MFA/SSO/SAML solution, they will not be required to set up BambooHR's 2-Step Login. Please review the table above to confirm.
  2. How is the 2-Step Login requirement different from the two-step process that is already in place for employees to log in to their account?
    • Users will need to use a mobile device to set up 2-Step Login via SMS or an authenticator app. Once set up, users can check a box to trust a device and will not have to use 2-Step Login for the next six months. After six months, the user will need to renew their login.
  3. What if an employee does not have a mobile device? What options can they use for 2-Step Login?
    • 2-Step Login requires a phone or authenticator app/browser extension to validate the login. You can consider the option of enabling SSO, which allows for alternative methods of validation.
  4. Are non-employee users required to use 2-Step Login?
    • If they are not using an SSO login, they will be required to use 2-Step Login.
  5. What if I do not want to have 2-Step Login required for my account?
    • Our 2-Step Login requirement is a mandatory system-wide change that applies to all customers. This is to keep your account a secure place for your important data.
  6. 2-Step Login has been an option previously—why has this changed?
    • We decided to implement the 2-Step Login requirement due to some major data breaches and cybersecurity incidents within other companies in 2024. Requiring MFA will reduce customer data risk, internal costs to investigate instances of fraud, and the reputational risk to BambooHR associated with a security incident.
  7. Will my employees receive any communication about the rollout of the 2-Step Login requirement?
    • Only Account Owners and Full Admin users will receive a few emails about the newly implemented requirement. Once 2-Step Login is rolled out to your company, the employee will have 30 days to set up their verification method (as indicated by a notification that will appear upon logging in after the rollout). Additionally, we have provided the following sample email to help you communicate 2-Step Login setup instructions to your employees.
  8. What happens if an user does not set up 2-Step Login within the 30-day timeframe?
    • The user will not be able to log in to their account without setting up a verification method. They will receive a prompt to set up their verification method once they enter their email address and password to log in.

If you have any additional questions, please reach out to our Customer Support team.


Employee communication

*Use this sample email copy to help roll out 2-Step Login to your workforce.*

Hi Team,

In an effort to keep employee information as secure as possible, we’ll now be requiring you to use both your password and a unique code to log in to your BambooHR account.

Here’s what you’ll need to do to generate your unique code:

  1. Log in to your BambooHR account from your desktop or laptop computer. 
  2. You’ll see a message letting you know 2-Step Login is now or soon to be required. Select Setup Now to get started. 
  3. Choose your preferred verification method: Text Message (SMS) or Authenticator App.
  4. Please follow the setup instructions below depending on the verification method you have selected.

Text Message (SMS)

  1. Enter your country code and phone number, and then click Send Verification Code.
  2. Enter the six-digit code that was sent to your phone, and you can begin using your account as you normally would.

Authenticator App

  1. Visit your app store on your mobile phone and download an authenticator app, such as Google Authenticator. 
  2. Open your authenticator app and scan the QR barcode that appears on your desktop or laptop screen.
  3. You’ll be prompted to download or print backup codes. Backup codes will be used if you’re ever locked out of your account and without your mobile device. Remember where you save these codes!
  4. Enter the six-digit code displayed in your authenticator app into your account, and you can begin using your account as you normally would.

Thank you for your cooperation! 

Please feel free to contact me with any questions,

Your HR Team


Reset an employee's 2-Step Login

Settings

2-Step Login

To reset an employee's 2-Step Login from Settings, navigate to Settings > Login Settings and click on the gear icon. Then, from the dropdown menu, select Reset Employee's 2-Step Login

2-Step Login

Under "Who needs the reset?" simply click on the down arrow to view a dropdown menu listing all employees who have 2-Step Login enabled and select the specific employee you need to reset 2-Step Login for. Once selected, click Reset.

Employee profile

Shannon Anderson - Personal

You can also reset an employee's 2-Step Login by going to the action menu (three-dot icon) on their employee profile. Simply hover your cursor over "Security" and select Reset 2-Step Login.

Shannon Anderson - Personal

Confirm the reset by clicking Yes, Reset. The employee will receive a notification to set up an authentication method the next time they log in to their account.

Admins have the option to grant a custom access level user access to reset an employee's 2-Step Login.

What if I (admin) get locked out of my account with 2-Step Login enabled?

  1. If another admin is available, please have them reset your 2-Step Login. 
  2. If there is no other admin to do this, revert to the backup codes you have created when setting up your 2-Step Login.
  3. If one or two are not possible, please reach out to our Support team via phone. We will need written approval from a Full Admin user for verification.