Frequently Asked Questions (FAQ) on ServiceM8's Two-Step Authentication security feature.
What is ServiceM8’s Two-Step Authentication (2SA)?
ServiceM8’s Two-Step Authentication (2SA) is an easy way to improve your business’s protection against cyber criminals and others seeking unauthorised access your ServiceM8 account.
With ServiceM8’s 2SA, in addition to providing your username and password, you’re also sent an SMS (text) with a unique 6-digit code for you to enter, thereby adding a second ‘step’ to authenticating your ServiceM8 account access.
2SA is available on all standard ServiceM8 accounts and is optional to activate. For instructions on how to activate this measure, see How to set up Two Step Authentication.
Why would I activate 2SA?
Online criminals are constantly using phishing, malware and other scams in an attempt to obtain sensitive credentials such as usernames and passwords, which they then use to impersonate you and access your online services (such as ServiceM8).
Your ServiceM8 account contains your clients’ personal information, and sensitive business data (including your invoicing and payment details), making it a target for criminals. So, it’s not only in your interest to protect your account’s security, it’s also your responsibility.
Maintaining a strong, unique and secret password, as well as good online security practices, is an essential starting point. ServiceM8’s 2SA adds another layer of security, requiring the entry of a 6-digit code which is sent to your mobile phone when you want to log in or perform certain account actions.
This means someone would need to know both your username and password, and have access to your text messages, to gain access. This makes it much harder for someone to impersonate you and access your account, even if they have your username and password.
How does 2SA affect my day-to-day ServiceM8 usage?
Once activated, the 2SA process applies:
- Every time you login to the ServiceM8 app
- Every time you login to the Online Dashboard
As well as applying a SMS authentication process to the following actions:
- Exporting account data, such as Client or Job exports
- Generating Account Backups
- Changing Staff details
- Accessing Account Owner settings
- Changing Account Owner details
- Transferring account ownership
- Cancelling the ServiceM8 account
If you are a ServiceM8 Partner, once 2SA is activated an SMS authentication process will also apply every time you log into a connected client's account.
Is activation of 2SA on my ServiceM8 account mandatory?
In 2023, activation of ServiceM8’s Two-Step Authentication will become a requirement for all ServiceM8 accounts connected to a Xero account.
Use of Two-Step Authentication for all other customers will continue to be optional, but recommended.
Can I use a Passkey?
Yes! ServiceM8 supports the ability to save a passkey for your ServiceM8 login, and 'Sign in with Passkey' as an alternative second step of authentication, instead of entering a 6-digit code received via SMS/push notification. Learn more about Sign in with Passkey.
Can I control which users in my account require 2SA?
To a degree. The Account Owner can activate 2SA for either the Account Owner only, or all staff within the ServiceM8 account. The Account Owner can toggle between these two options, however once activated there is no option to deactivate 2SA altogether.
How do I login if I don’t receive the SMS code?
If you don't receive the SMS authentication code within a couple of minutes, use the “Send again” button (Online) or reattempt the login process (App) to request ServiceM8 to send another code.
If you still don’t receive the code:
- If you are the Account Owner, you can answer your Security Questions instead to authenticate your login (Online Dashboard login only). Security Questions can be set in Settings > ServiceM8 Account > Account Owner Settings. Use of Security Questions to login will prompt an automatic notification email & SMS to the Account Owner that the Security Questions have been used to authenticate a login;
- Otherwise, you will need to contact the Account Owner and request they check your mobile/cell phone number is saved correctly in Staff Settings, or disable 2SA for non-Account Owner staff.
How do I login with 2SA when I'm out of mobile range or don’t have connectivity?
If you don’t have the ability to receive SMS (text) messages, you won’t be able to login to the ServiceM8 app.
For example, if you often travel overseas and lose the ability to receive text messages, this will prevent you from being able to login to the ServiceM8 app, as you won’t be able to receive the SMS code. If you are the Account Owner and have set Security Questions, this alternative authentication option can be used to login to your Online Dashboard.
Do I pay for the authentication SMS (text) messages received as part of using 2SA with my account?
No.
Who can reset Two Step Authentication?
The activation of 2SA and setting whether it is required for the Account Owner only, or all staff, can only be done by the Account Owner. Activation of 2SA is a one-way process — once activated, there is no option to deactivate 2SA altogether.
Note that anyone who has access to edit Staff Settings is able to change the saved mobile phone number of a staff member, which will effectively reset 2SA for that user. The only exception is that the mobile phone number of the Account Owner can only be changed by the Account Owner themselves.
Can you set up 2SA on your phone?
2SA needs to be activated by the Account Owner through the Online Dashboard. Once activated, if an individual staff member’s mobile phone number is not saved against their staff profile, they’ll be asked to enter it the first time they login to the app or Online Dashboard so that 2SA will work for them.
Can you enforce the 2SA process?
Yes, you can choose whether you want to enforce 2SA for all staff, or just the Account Owner.
Can two users use the same mobile phone number for authentication?
Yes.
Can you disable 2SA for a specific staff member?
No, you can’t disable 2SA for a specific staff member. You can only choose to enable 2SA for the Account Owner only, or all users in the account. However, you can change the phone number saved against a staff member.
Can you disable 2SA for the Account Owner?
No, activation of 2SA is a one-way process for the Account Owner. Once you activate 2SA there’s no option to deactivate it for the Account Owner.
What happens to 2SA if I transfer account ownership?
In the event of a transfer of account ownership, 2SA will be deactivated, and will need to be reactivated by the new Account Owner.
Can you use 2SA with ServiceM8 Franchise accounts?
No, 2SA is not available to activate on either Franchisee or Franchisor (Head Office) accounts.
Can you use 2SA with AppDirect Marketplace accounts?
No.
Can you use 2SA with Intuit Single Sign On (SSO) accounts?
No.
What happens if one of my team members has a mobile number with a different country code to my ServiceM8 account?
International SMS (text) messages cannot be sent from ServiceM8, so that staff member will not be able to login with 2SA. You will need to turn off 2SA for all staff apart from the Account Owner, or that staff member will need to get a mobile number in your account’s country.