Set up MFA

Overview

Multi-factor authentication (MFA) adds a second check on top of your password so that someone who has your password alone cannot sign in to MyApprentice. As the Business Owner you have privileged access — the highest in the platform — so turning on MFA is one of the first things to do after you register. MFA is also required for several sensitive actions, including inviting team members, uploading supplier invoices, and connecting Xero. Success looks like at least one working MFA method registered against your account.

Who This Workflow Is For

This workflow applies to Admin, Apprentice, Business Owner, Finance, Supervisor, and Tradie.

Before You Start

You need a registered MyApprentice account and you need to be signed in. Have at least one of the following ready: a device with biometrics or a device PIN (for a passkey), an authenticator app installed (for example Google Authenticator, Microsoft Authenticator, or Authy), or a mobile device that can receive push approvals.

Step-by-Step Process

1. In the top-right corner of the header, select the gear icon (⚙). The Customisation page opens.
2. Select the Security tab.
3. Choose one or more methods to set up:
   • iOS app code (Recommended). Open your iPhone camera and scan the QR code shown on the Security tab. The App Store opens to the MyApprentice app — install it and open the app. Sign in with the same credentials you used at sign-up. The app displays a 4-digit code. Enter the 4-digit code into the field on the right of the Security tab to verify the two devices.
   • Passkey (alternative). Select Set up Passkey. When your browser or device prompts you, create the passkey using your fingerprint, face ID, or device PIN. The new passkey appears in your registered passkeys list. You can add multiple passkeys for different devices.
   • Authenticator app. Select Setup authenticator app. Open your authenticator app and scan the QR code shown on screen. Enter the 6-digit code from the app to confirm. Save the backup codes the app issues — you will need them if you ever lose access to the authenticator.
   • Phone approval. Select Phone approval and follow the prompts to link your mobile device. Future logins from an unknown device send an approval push to that linked phone.
4. After registering a method, you can rename the device against it so it is easy to tell apart on the Security tab. Select Rename, type a label such as “Work laptop” or “Personal phone”, then save.
5. (Optional) Set up a second method as a backup. Even with a passkey, having an authenticator app as backup is wise so you are not locked out if the passkey device is lost.

What Happens Next

Once at least one MFA method is registered, MyApprentice asks you for a second factor when you sign in from a new device or after the MFA recency window expires. Business Owners (and Supervisors) have a shorter recency window than other roles, so you will be re-checked more often — this is intentional for privileged accounts.

With MFA in place you can now perform the actions that require it. The most common are:

• Invite a team member.
• Review your subscription and billing — Manage Plan and Manage Billing both require MFA.
• Connect Xero.
• Upload a supplier invoice.

Common Issues

• Lost your passkey or MFA device. Use Forgot password on the login screen. See Recover access after MFA device loss.
• Asked for MFA more often than expected. This is intentional for the Business Owner and Supervisor roles, which have a shorter recency window because of the access they hold.
• Want to remove a registered method. Open the Security tab, find the device with My device shown underneath it, select Remove, and confirm. The device and its MFA method are removed; you can then register a new one. If this is your only method, set up a new method before removing the old one so you are not locked out.
• MFA setup will not start. Make sure your browser supports passkeys, or use the authenticator app or phone approval path instead. Try a different browser if needed.

Related Guides

• Recover access after MFA device loss
• Set up OAuth sign-in