1. Employment Hero Help Centre (AU)
  2. HR Platform
  3. Account Management and Security
  4. Security

Select your platform and then browse by platform category

Who are you and what section are you in?

When is two-factor authentication (2FA) required?

Russell Noble
Updated
EH Content Team

Question

When is two-factor authentication (2FA) required?

Answer

Two-factor authentication (2FA) is a method of securing your account by adding an extra layer of security. This can be in the form of a code sent to your phone via SMS, using an authentication app on your device, or a push notification from the Employment Hero Work (EH Work) app.

You will be required to perform your 2FA method when logging into your Employment Hero account, or when accessing sensitive information within the platform.

2FA is also required when accessing the following information. This includes your own information, as well as any other accounts you may have access to:

Account

  • When logging into your Employment Hero account.
  • If a "Remember me" option is toggled when entering your 2FA method, you will not need to enter your 2FA method for subsequent logins until the token expires.

Employee File

To comply with the ATO's Operational Framework and global security standards, 2FA verification within the session is required when accessing sensitive employee file data. However, if you have an active "Remember me" session on your browser/device, you may not be prompted again for:

  • Bank details (All regions)
  • Tax file declaration (AU) and Statutory Details (MY)
  • Superannuation (AU), KiwiSaver (NZ), and IRAS Forms (SG)
  • Payslips, Payment Summaries (AU), P60s/P11Ds (UK), and EA/PCB2 Forms (MY)

Account Settings

Required after changing the following:

  • Account email
  • Account password
  • Recovery response
  • When disabling 2FA

Exemptions for 2FA

  • Employment Hero HR: If you have previously verified 2FA on the current device and selected to remember the device for 45 days.

  • Employment Hero Payroll: If you select "Don’t ask me again for 24 hours" when entering your 2FA. As part of the Enhanced Login Experience rollout (beginning 3 February 2026), this preference now persists across multiple accounts (up to a maximum of 3 saved accounts) on the same device and browser. Switching between these saved accounts no longer resets your 2FA session for that 24-hour period.

  • If you use a passkey to login. See this article to find out more about passkeys.

Explore related content

Was this article helpful?
4 out of 14 found this helpful