How can we help?

Lightspeed’s Help Centre is here to provide support, tips and troubleshooting

Setting up multi-factor authentication

Multi-factor authentication (MFA) provides an additional layer of security when users sign in to Back Office. MFA also applies when signing in through third-party integrations and Insights Live. 

After entering your password, MFA asks you to confirm your identity with a one-time code, either sent to your email or generated by an app on your phone. MFA can be enabled by individual users or enforced by company admins for all users or specific roles.

What's in this guide?

Understanding multi-factor authentication
Recommended authenticator apps
Configuring multi-factor authentication
MFA recovery and reset options
Frequently asked questions

Understanding multi-factor authentication

Because passwords can be vulnerable to phishing and reuse, MFA helps reduce the risk of unauthorised access to Back Office accounts. The following points highlight the key details about multi-factor authentication.

  • Supported methods: MFA can be completed using either email one-time password (OTP) or an authenticator app. Email OTP sends a 6-digit code to the user's email that expires after 5 minutes, while an authenticator app generates a 6-digit code, which refreshes automatically every 30 seconds.
  • MFA enforcement settings: Admins can choose whether MFA applies to everyone or specific roles. 
  • Prompt frequency: MFA is checked separately for each device or browser you use to sign in. For example, if you verify on your laptop, you'll still need to verify separately on your phone. If the frequency is set to 24 hours, you may still be asked to verify again within that window when signing in from a different device or account.
  • Multi-company policy: If your account belongs to more than one company in Lightspeed, the strongest security settings from any of those companies will apply. For example, if one company requires you to verify every time you sign in and another only every 7 days, you'll be asked to verify every time. Similarly, if any company requires an authenticator app, you'll need to use one regardless of what other companies allow.
  • Password reset frequency: Admins can configure password resets for users independently of MFA, with options to never require a password reset, required every 90 days, or required every 365 days.
  • Password expiry: If a password reset frequency is set and a user's password expires, they won't be able to sign in until they reset it. A password reset email is automatically sent to their registered email address.
  • Email change verification: When a user updates their email in Back Office, the change is saved as pending until the user verifies their new address. A verification email is sent to the new email address, which expires after 30 minutes. A security alert is also sent to the old email address. This process does not affect the user's MFA settings.

Recommended authenticator apps

Users can authenticate their account using an authenticator app. Recommended apps include Google Authenticator, Microsoft Authenticator, or Authy.

Configuring multi-factor authentication

MFA can be set up individually by users, or admins can enforce it at the company level. Admins can also configure password reset policies independently of MFA.

Admin enforcement

Before you can enforce MFA for staff, you must first set up MFA on your own account using an authenticator app. Email OTP is not sufficient. See User self-enablement to set this up. Once your account is ready, you can configure enforcement for your staff.

Once MFA enforcement applies, affected users have 7 days to set up MFA. After that, they won't be able to sign in until they complete the MFA setup.

To set up MFA for staff:

  1. Log in to Back Office with your Lightspeed credentials.
  2. From the navigation menu, select Company settings > Security.  
    Back Office security section for MFA
  3. Enable the Enforced MFA toggle. Once enabled, you can configure the following: 
    • Who must have MFA enabled: Select which users are required to set up MFA. Admins can enforce it for everyone or for specific roles. 
    • MFA method: Select the required MFA method. This can be any supported method or authenticator app only.
    • Prompt frequency: Set how often users must complete MFA verification. Options include every login, 24 hours, 7 days, or 30 days. This setting is checked separately for each device or browser.
  4. (Optional) To configure how frequently users must update their password, under Password reset frequency, select Never, Every 90 days, or Every 365 days.
  5. Click Save changes.
    Back Office MFA options

User self-enablement

Users can enable MFA on their accounts and select their preferred MFA method. Only one method can be active at a time. Enabling a new method will automatically replace the previous one. 

However, if an administrator enforces a specific method, affected users must configure and use that method. MFA applies across all companies a user has access to.

To set up MFA for an individual user account:

  1. Log in to Back Office with your Lightspeed credentials. 
  2. From the navigation menu, select Home > Profile
  3. Under Multi-factor authentication (MFA), select your preferred MFA method. This could either be an authenticator app or email OTP. 
  4. Click Enable
Authenticator app

To set up MFA using an authenticator app:

  1. Download an authenticator app on your mobile phone.
  2. Scan the QR code that appears in the MFA popup instructions.
  3. Once scanned, your Lightspeed account is automatically registered in the authenticator app. Enter the 6-digit code generated in the authenticator app into the MFA popup instructions. The code automatically refreshes every 30 seconds.
  4. Click Verify.
  5. On the next screen, click Copy and save your recovery code. This can be used if you're ever locked out of your account. 
  6. Tick the box confirming that you have copied and stored your recovery code in a safe place, then click Done
    MFA recovery code

Store your recovery code somewhere safe. It's the only way to regain access if you lose your authenticator device. If you use all three attempts or lose the code, you'll need to ask an admin or Lightspeed Support to reset your MFA.

One-time password via email

To set up MFA using email OTP, click Enable OTP. A 6-digit code is automatically sent to your registered email address upon logging in. Each code expires after 5 minutes.
MFA enable email OTP method.png

MFA recovery and password reset options

If a user fails to log in or complete MFA verification multiple times, their account may be temporarily locked out after 8 failed attempts. The following options are available to regain access.

Account lockout recovery options

If a user is locked out of their account due to multiple login or MFA attempts, the following recovery options are available to restore access. 

  • Password reset: If a user is locked out due to multiple failed password attempts, they can reset their password via the link on the sign-in page. This does not bypass MFA as users are still required to complete MFA verification after resetting their password.
  • Recovery code: This is available for authenticator app method only. A recovery code is provided during the initial setup, and users have three attempts to use it. After three failed attempts, the recovery code becomes invalid and another recovery method must be used.
  • Admin reset: Only admins can perform an MFA reset for a locked user. However, admins cannot reset MFA for users who are associated with multiple companies. In this case, the locked user must use their recovery code if available or request a support reset.
  • Support reset: If an admin is unable to reset a user's MFA such as, if the user belongs to multiple companies, the user can contact our Support Team for assistance. Once Support completes the reset, the user receives an email notification and can sign in using just their password. If the company enforces MFA, the user will be prompted to set it up again on their next sign-in.

Admin MFA reset

Users with locked accounts can request an MFA reset from their admin. Once the admin completes the reset, the user receives an email notification and can sign in using just their password. If the company enforces MFA, the user will be prompted to set it up again on their next sign-in.

To reset MFA for individual users:

  1. From the Back Office navigation menu, select People > Users.
  2. Select the user account that requires an MFA reset. A warning icon (⚠) next to the user's name means they need an MFA reset.
  3. Under the Security section, click Reset MFA settings.
  4. In the confirmation popup, review the details then click Confirm reset

Frequently asked questions

Are all staff required to set up MFA if the company enforces it?

Depending on the selected configuration, only users with Back Office access are required to set up MFA when enforced by the company. It is not applicable to users who have POS access only. 

Will I receive email notifications about MFA changes?

Yes. You'll receive an email whenever your MFA settings change, including when MFA is enabled or disabled, when you switch methods, when an admin resets your MFA, or if your account is locked after too many failed attempts. These emails are sent to your registered email address and don't require any action unless stated.

What if a user loses their authenticator device or recovery code?

If a user can't use their recovery code to regain access, they can request an MFA reset from an admin. Admins can only process MFA resets for users who do not belong to multiple companies. If the user belongs to multiple companies, they should contact our Support Team for assistance.

Can admins require a password reset for users without enforcing MFA?

Yes, admins can set up password reset frequency even if MFA is not enforced. 

What's next?

Manage staff permissions to ensure users have appropriate access based on their roles.

Managing user permissions

Learn about the different user roles and how they affect access to Back Office features, including MFA requirements.

Understanding user roles

Was this article helpful?
0 out of 0 found this helpful

Related articles

Powered by Zendesk