2-step verification
Last updated: June 26, 2025
2-step verification (2SV) is a multi-factor authentication process that enhances security by confirming a user’s identity before granting Dashboard access. By enabling 2SV, you add an extra layer of protection, helping to prevent unauthorized access and safeguard your business data, customer information, and financial transactions.
Note: In order to activate 2SV, ask the user with the Director role to fill out a company recovery phone number or update it in case it has changed.
Setting up 2-step verification
To enable 2-step verification:
- Go to Settings > Users & Permissions > Users and select the user.
- Navigate to Account > 2-Step Verification.
- Enable 2-step verification > Add a mobile number.
- Enter the verification code sent to the provided mobile number.
Once verified, the account will be secured, and future login verification codes will be sent to the registered mobile number.
After 2-step verification is enabled, users must enter a verification code sent to their phone number each time they log into the Dashboard.
The number provided by the user must be able to receive SMS text messages. Message and data rates may apply.
Note: Email-based 2SV is available as an SMS alternative, however, setting up 2SV for the first time with a phone number is still required.
Tip: You can also check the Remember 2SV for this device box during login to reduce future prompts.
- This option is off by default and applies to only one user per device.
- Currently, the Remember 2SV for this device feature is not available on the FareHarbor app.

Updating 2-step verification phone number
To update the phone number attached to 2-step verification:
- Go to Settings > Users & Permissions > Users and select the user.
- Navigate to Account > 2-Step Verification.
- Click Reset.
- Enter the verification code sent to the new phone number.
- Once verified, the new number will replace the previously-listed number in your 2-step verification process.
Note: Only the user in question can update their own 2SV phone number. If you need help updating another user’s phone number, please contact FareHarbor Support.
Adding a company recovery phone number
A recovery phone number helps verify a user if their registered 2-step verification phone number is unavailable.
To add or update your recovery phone number:
- Navigate to Settings > Users & Permissions > 2-Step Verification.
- Add a company recovery phone number.
Note: Only users with director permissions can edit the recovery phone number.
Troubleshooting
If you are having trouble with 2-step verification, follow the instructions below based on the issue you are encountering.
I didn’t receive a code
- Check that you’re using the same phone number registered for 2SV.
- Confirm that you are able to receive SMS messages on the listed phone number.
- If you have an Android device, check that the verification message wasn’t misdirected to the SMS spam folder.
- Confirm that your device is connected to Wi-Fi or cellular data and not experiencing network issues.
- Try again by requesting a new code:
- If you’ve received the code: Great! You’re all set.
- If you have not received the code: Contact our Support team.
I’m receiving the wrong code
Enter the code immediately upon receiving it. If it still doesn’t work after trying again, contact our Support team.
I received a code I didn’t request
Are you sharing an account with another user?
- Yes: For the best security and user management, we advise setting up separate accounts for each team member.
- No: Your account may have been compromised, please update your account password.
Frequently asked questions
Is 2-step verification mandatory?
Yes, starting on the date specified in the email you received, 2-step verification will be required for all logins. This extra layer of security helps prevent unauthorized access and protects your business data.
What are the potential risks of not using 2-step verification?
Without 2-step verification (2SV), your account relies solely on a password for protection. In today’s environment, where cyber threats and phishing attacks are increasingly common, a password alone may not be enough to prevent unauthorized access.
- Unauthorized access: If your login credentials are compromised, a malicious actor could gain full access to your Dashboard, including sensitive customer information, booking data, and financial details.
- Security incidents: Without 2SV, it’s easier for attackers to exploit your account and potentially expose customer data, which can damage your reputation and erode trust.
- Operational disruption: A compromised account could result in cancelled bookings, altered schedules, or fraudulent activity, directly impacting your day-to-day operations and revenue.
- Increased liability: If a breach occurs and security best practices like 2SV aren’t in place, your business could be held liable for resulting damage or data loss.
How does 2-step verification affect logins on the FareHarbor mobile app and FareHarbor Dock?
When 2SV is enabled, users must enter a verification code when logging into the FareHarbor mobile app and FareHarbor Dock.
Note: 2SV settings cannot be updated within the app—any changes must be made via a web browser.
How often will users be required to enter a 2SV code?
Users will be prompted to enter a 2SV code each time they log in. If a user does not manually log out, their session will remain active for 14 days. This applies even if FareHarbor is closed on the device or if the device you are using is restarted.
If you’re the only FareHarbor user on a single device, we recommend using the Remember 2SV for this device box during login to reduce future prompts.
Why am I being asked for a code again even though I checked Remember 2SV for this device?
There are a few possible reasons for this:
- The Remember 2SV for this device box is unchecked by default, so it may not have been selected during your last login.
- You’re logging in from a different device or browser than the one where you originally selected Remember 2SV for this device box.
- Only one user can be remembered per device. If another user logged in on the same device and also checked Remember 2SV for this device box, it overrides your remembered session.
- Manual logout does not clear the remembered session, but if any of the above occurred since your last login, you’ll be prompted to verify again.
Can I use a landline as my company recovery phone?
Yes, you may use a landline as your company recovery phone. This number is used for voice calls during account recovery and does not need to receive text messages.
What are the options for users in remote areas or those who travel frequently?
Users stay logged in for 14 days unless they manually log out. Email-based 2SV is available as an SMS alternative. Clients may opt out of 2SV if it significantly impacts operations but must acknowledge the security risks and potential liability.
Is email available as a method for receiving 2SV codes?
As an alternative for users who cannot receive SMS codes, email-based 2SV is available. Please note that setting up 2SV for the first time with a phone number is still required.
Are other 2SV methods like DUO, Authy, Google Authenticator, or similar apps supported?
Currently, we are not supporting authentication apps like DUO. However, email-based 2SV is available as an alternative verification method.
What if multiple users share a single login for the Dashboard?
For the best security and user management, we recommend using separate accounts and phone numbers for each team member. Additionally, with mandatory 2SV, each user needs their own login to securely set up and manage their 2SV settings. More information on adding new users can be found here. If this is not possible, using a shared email (though not advised) is an option. Alternatively, clients can remain logged in to avoid repeated prompts or they may request to opt out, accepting the security risks involved.
Can the same phone number be used for multiple user accounts?
Yes, the same phone number can be used for multiple users, but it’s not recommended due to potential confusion during the login process.
Do the mobile or Dock apps require a 2SV code every time it’s opened?
No, the 2SV code is only required when logging in. If the app uses biometrics like Face ID to unlock, but remains logged in, a new code won’t be needed.
My FareHarbor app is logging out after my mobile device wakes from sleep while biometrics are enabled. How do I fix it?
This can happen due to various reasons. For example, after a system update which may invalidate the biometric credentials stored on the device. When this occurs, biometric login fails silently, causing the app to log out and prompt for 2-step verification.
Workaround solution:
- Log into the FareHarbor app > go to Settings > Biometry.
- Disable the Biometry toggle.
- Log out.
- Log back in to the FareHarbor app while biometrics are disabled.
- Go back to Settings > Biometry and toggle the setting back on.
Alternatively, reinstalling the Fareharbor app can also resolve the issue.
Why am I asked to log in multiple times a day?
If you manually log out or if the system clears your session, you will need to log in again. If this happens unexpectedly without logging out, please reach out to our Support team.
Who can enable 2SV for a user?
Each user must enable 2SV from their own account. 2SV cannot be set up by an admin or another team member on behalf of another user.
Why is 2SV required for view-only users or guides?
All users, regardless of permission level, can potentially access sensitive information. This makes 2SV necessary to help prevent data breaches.
Are USB hardware tokens supported for 2SV?
USB hardware tokens are not currently supported for 2SV, but feedback about hardware-based 2FA is being collected and considered for future development.
Why am I receiving a “Please wait X seconds before requesting another code” message?
This may occur if you repeatedly request new codes too quickly. Ensure that you’re waiting the full time displayed before retrying. If the issue persists despite following the instructions, update the mobile app and contact our Support team.
Can I schedule a consistent logout time (for example: every night at midnight)?
This is not currently possible. Logouts occur based on session expiration (14 days). Users can manually log out at the end of the workday to reset their session timer.
Is there a limit to how many users can set up 2SV?
No, all users of a company should be able to set up and use 2SV on their own accounts without any limitations.
Is there any cost to adopting 2SV?
FareHarbor does not charge for receiving 2SV codes via SMS or email. However, phone carrier message and data rates may apply.
Internal-only content. Don't copy and paste to anyone.
Mandatory 2SV implementation
Why is 2SV mandatory for all users?
Cyber threats are constantly evolving, and protecting our clients’ accounts is our top priority. 2-step verification significantly reduces the risk of unauthorized access, ensuring that only authorized users can access their Dashboard.
Communication & enactment timeline
| Tier | Notice date | Enactment date |
|---|---|---|
| T0-1 | April 15, 2025 | May 19, 2025 |
| T2+ | April 15, 2025 | June 16, 2025 |
Troubleshooting guide
When a user reports that they cannot log in with 2SV, follow the steps below based on their issue:
No code received
- Verify the phone number.
- Check that the user’s phone number used for 2-step verification (2SV) matches the one listed in the system under Settings > Users & Permissions > Users > [user] > Account > 2-Step Verification.
- Check SMS capability.
- Confirm the user is able to receive SMS messages on the listed phone number. Some countries might not be able to receive SMS messages.
- Check spam folder (Android users).
- If the phone is an Android device, ensure the verification message wasn’t misdirected to the SMS spam folder.
- Check network connectivity.
- Confirm the user’s device is connected to Wi-Fi or cellular data and not experiencing network issues
- Resend the code.
- Ask the user to request a new code and try again.
- If code is received → Issue resolved.
- If code is not received → Temporarily disable 2SV and file a bug.
- Ask the user to request a new code and try again.
Incorrect code (error message)
Ask if the user entered the code immediately after receiving it.
- If Yes → File a bug and follow steps to temporarily disable 2SV.
- If No → Ask them to try again and enter the code immediately after receiving it.
- If it still doesn’t work → File a bug and follow steps to temporarily disable 2SV.
No phone at work
- Determine if the user can temporarily access their phone.
- If Yes → Recommend using their phone to log in.
- If No → Proceed to Step 2.
- Ask the user to request 2SV code via email.
- This will only work if the user already has an email address in their user account (Settings > Users & Permissions > Users).
- Temporarily disable 2SV for the user to prevent disrupting their operations and notify them of the potential risks.
Received a code I didn’t request
Confirm whether the user is using a shared account.
- If Yes → Recommend the company create individual user accounts.
- If No → Recommend the user update their account password as their account could be compromised.
Verifying the user’s identity through the recovery phone
Before temporarily disabling 2SV, you must verify the user’s identity to ensure account security.
Follow the steps below:
- Confirm the user’s identity in the Dashboard.
- Locate the user’s profile in Settings > Users & Permissions > Users > [user] > Account > 2-Step Verification.
- Verify the Phone Number on the Call.
- If the phone number the user is calling from matches either:
- The 2SV phone number on their user profile, or
- The company’s recovery phone number
- Then you may temporarily disable 2SV to allow the user to log in without a code.
- If the phone number does not match either the 2SV number or the recovery number:
- Inform the user that you will return the call using the recovery phone number on file.
- End the call and proceed to contact them through the recovery phone number.
- If the phone number the user is calling from matches either:
- Call the recovery phone number.
- Call the company using the recovery phone number Settings > Users & Permissions > 2-Step Verification > Recovery phone number.
- Ask the recovery phone contact whether the user in question lost access to their phone or 2SV code, and confirm whether we can disable 2SV so the user can log in without a code.
- If Yes → Temporarily disable 2SV.
- If No → Do not disable 2SV. If the original user calls back, inform them that their identity could not be verified through the recovery contact, so we are unable to disable 2SV on their account.
Temporarily disabling 2SV
Important: Always verify the user’s identity before temporarily disabling 2SV. This step is critical to prevent unauthorized access and protect against potential cyber attacks.
To temporarily disable 2SV on a user account:
- Go to Settings > Users & Permissions > Users > [user] > Account > 2-Step Verification.
- Remove the 2SV information for the user.

- Inform the user that 2SV settings have been updated and the user can now log in without a code.
Opt-out decision tree
The goal is to ensure we only suggest opting out in rare, well-justified scenarios. Follow the decision tree process below to determine whether to proceed with opt-out.
Start: Has the client requested to opt out of 2SV?
- No → Do not proceed with next steps.
- Yes → Proceed to Step 1.
Step 1: Client role & authorization
Is the request coming from an owner or users with Director-level permissions?
- No → Decline the request and explain that only the owner or users with Director-level permissions can opt a company out of mandatory 2SV.
- Yes → Continue to Step 2.
Step 2: Functionality issues
Is the client experiencing technical issues using 2SV (for example: not receiving verification codes or login errors)?
- No → Continue to Step 3.
- Yes → Support clients with Troubleshooting steps.
Step 3: Operational impact
Has the user determined that 2SV will significantly disrupt their operations (for example: shared logins, limited mobile access, etc.)?
- No → 2SV should remain enabled.
- Yes → Proceed to Step 4.
Step 4: Account access practices
Are individual user logins set up for all staff?
- No → Request client to set up individual logins for each staff member.
- Yes → Proceed to Step 5.
Step 5: Understanding the risk
Share the potential risks of opting out. Have they expressed that enforcing mandatory 2SV may lead to escalation or account churn?
- No → Do not proceed. Inform client of the security risks before continuing.
- Yes → Proceed to the Opt-out process.
Opt-out process
Important: Follow the opt out decision tree process before proceeding with the opt out process.
Only an owner or or users with Director-level permissions can request to opt out of mandatory 2-step verification. Follow the instructions below to complete the opt-out process.
- Add company shortname to the tracker.
- If the company has multiple shortnames and wishes to opt out for all of them, be sure to include each one in the tracker.
- Send the opt-out language to the owner or director.
- Use the Zendesk macro: 2SV Opt Out Legal Notice.
- Use the Close template: Legal – Mandatory 2SV – Opt Out Notice.
- Fill in all details in the tracker, including:
- Zendesk or Close link
- Date of the opt-out request
- Any relevant notes or context
Important: After step #3, someone on Product/Engineering is manually opting out the client and no further action from you is needed. It can take up to 1-2 business days after adding the client to the tracker for them to be opted-out. If in the tracker, you see “Yes” next to the client, it means that they are fully opted out.
Frequently asked questions
Is 2SV currently enforced for every user?
2SV is required by default. However, the 2SV setup requirement is not enforced at this time. Clients who accept the security risks may request an exemption via Support. Users will see a prompt every 48 hours until they enable 2SV. Please note that enforcement rules may change in the future.
Can users opt out of 2SV?
Yes, but only at the organization level, not per individual or permission group. Opting out introduces security risks that clients must accept in writing. A single user that is not using 2SV is an opportunity for a cyber attack to happen and cause reputational or financial damage to our client and FareHarbor.
Is it possible to opt in individual users and opt out other users rather than the entire Dashboard?
No, when a client opts out of 2SV, they are taking the risk as an entire company. Some users who might have access to more critical information or actions can still enable 2SV to protect that part. However, even a user with few permissions can still provide an opportunity for attackers to leak sensitive data or dig for more attack opportunities.
What if a user’s 2SV code is marked invalid, even when entered immediately?
If a user receives an invalid code message after entering it right away, file a bug report and temporarily disable 2SV for the user following the outlined steps in internal documentation.
Might frequent login prompts be related to specific phone models or OS versions?
Some users on certain Android or iOS devices (e.g. Google Pixel, Samsung Galaxy) have reported frequent logouts or 2SV prompts when switching apps. These may be device-specific bugs—report the issue with as much detail as possible (for example: phone model, OS version, app version).
Why am I being asked for a code again even though I checked Remember 2SV for this device?
There are a few possible reasons for this:
- The Remember 2SV for this device box is unchecked by default, so it may not have been selected during your last login.
- You’re logging in from a different device or browser than the one where you originally selected Remember 2SV for this device box.
- Only one user can be remembered per device. If another user logged in on the same device and also checked Remember 2SV for this device box, it overrides your remembered session.
- Manual logout does not clear the remembered session, but if any of the above occurred since your last login, you’ll be prompted to verify again.
My FareHarbor app is logging out after my mobile device wakes from sleep while biometrics are enabled. How do I fix it?
This can happen due to various reasons. For example, after a system update which may invalidate the biometric credentials stored on the device. When this occurs, biometric login fails silently, causing the app to log out and prompt for 2-step verification.
Workaround solution:
- Log into the FareHarbor app > go to Settings > Biometry.
- Disable the Biometry toggle.
- Log out.
- Log back in to the FareHarbor app while biometrics are disabled.
- Go back to Settings > Biometry and toggle the setting back on.
Alternatively, reinstalling the Fareharbor app can also resolve the issue.