If you are not signing in with secure passkeys, but using a password then please enable 2FA on your account for your account security.

What is Two-factor authentication?

There are typically 3 different terms used.

• Two-factor authentication (2FA)

• Multi-factor authentication (MFA)

• Two-step verification (2SV)

Details at Wikipedia: https://en.wikipedia.org/wiki/Multi-factor_authentication

With only Single-factor authentication (SFA) the only roadblock between your secure data at Visma and attackers getting a hold of it is your e-mail address and your password.

Attackers could be able to obtain your password by sending you to some fake website (e.g. a link in an email to you) capturing your credentials (phishing), or by other means - e.g. buying stolen passwords from the internet/darkweb. A password breach does not have to be linked to your Visma account as many users share the same password across multiple web applications.

One safe website to check if your email address has been compromised is HaveIBeenPwned - but it by no means have the full overview - still worthwhile to check.

If you enable Two-factor authentication (you REALLY should) you make the life of an attacker much harder. Then having your secret password still does not give an attacker access to your account. They will have to get passed the second factor to get into your data.

Do I have to pay for Two-factor authentication at Visma?

No - it is provided free of charge to you as a customer.

What Two-factor authentication options are supported?

• Visma Authenticator App - Push Notifications sent to your mobile device or 6-digit codes valid 30 seconds.

• Security Key - A FIDO2 or U2F compatible hardware security key like the ones from Yubico.

• Other Authenticator Apps - 6-digit codes valid 30 seconds. E.g. Google Authenticator or Microsoft Authenticator. Any TOTP-compatible application is supported.

• SMS - 6-digit codes valid 5 minutes and sent as text message to a mobile phone.

How do I enable Two-factor authentication?

If you account administrator has enforced it, you are required to enable it during sign in.

If it is set as optional you enable it in the security section in "Account Settings" at https://accountsettings.connect.visma.com. This application is integrated in the right-menu (your profile settings) in most Visma web applications.

The sign-in process allows me to remember my device for 30 days and it even has this option enabled as default, is this safe?

If you are not on a public computer, but at your workstation or personal computer, then yes. It means you will only be prompted for the 2nd step once a month. Any attacker/phisher that got your username/password using any other computer on the internet would naturally still be prompted for the 2nd step.

I cannot use 6-digits codes from any Authenticator App, they never accept my 6-digit code

Make sure the time on your device is correct! Any app that uses the TOTP-standard (time-based one time token) requires correct time and your device needs to match the world-clock and servertime of Visma. Open this website https://time.is/ on the device to check if your clock is accurate or not.

I have enabled 6 digit codes on my mobile phone, but how can I add it also on a secondary device?

Sign into the Account Settings https://accountsettings.connect.visma.com and choose "Add another device" link. This will bring up the QR code / secret again, so it can be used to add another device.

Can I still get a code if I my mobile phone doesn’t have data reception?

Yes, as long as you use any Authenticator App for 6-digit codes. They do not require a data connection to generate two-factor authentication codes, as long as your mobile phone’s date/time setting is in sync.

For how long can I use the 6 digit code generated by the app?

A unique 6 digit code is generated every 30 seconds. It can only be used once. Most apps gives a countdown for about 30 seconds to indicate code validity before next code is generated.

How does Visma and the app share the same code?

Visma has implemented Time-based One-Time Password algorithm (TOTP). The 6 digit code is generated based on a shared secret that both Visma knows and the app knows. It must never be shared with anyone; consider it a secondary password used by the app. If this secret is put into any other app, they will get the same 6 digits codes as you do.

Why does the code expire so fast?

For purpose of protecting against man-in-the-middle attacks. Lets say you get lured into a fake website (phishing attack) duplicating the sign in screens used at Visma, you can be at risk giving the attackers not only your credentials, but also the 6 digit code. Then the attacker can go into the real Visma website, enter your credential and also your valid 6 digit code and they are signed in as you. Having this short time window makes the 6 digit code useless if they try to use it after this expiration time.

How can I be protected against man-in-the-middle attacks?

You can be fully protected by enabling 2FA (Yubikey) or by using a Passkey instead of Password/2FA. Then an attacker have to get a hold of your hardware key in order to breach your account.

What if my phone is lost or stolen, I upgraded my phone to a new, I forgot to bring my phone and only had Authenticator App enabled on that device?

If you only had the Authenticator App setup on a single device and have lost access to it you will have to sign in and enter the one-time emergency code (given to you when you setup 2FA).

On the 2FA screen, you then choose “Try another way” which will show the option to use one-time emergency code. Input your one-time emergency code and you can choose "I have permanently lost access to my Authenticator app". This will restart the 2FA Enrollment.

If you do have lost your one-time emergency code, you will have to contact your local Visma support who can re-generate one for you.

Where do I enable SMS as Two-factor option?

If you did not do it on your initial 2FA setup you can enable it in the security section in your Account Settings at https://accountsettings.connect.visma.com. This application is integrated in the right-menu (your profile settings) in most Visma web applications.

Can SMS be sent to only one phone number?

No; you can receive the SMS with 6-digit code to any of the 3 phone numbers you can setup in your Account Settings at https://accountsettings.connect.visma.com

Can I use SMS as my only Two-factor authentication method?

No; SMS is your backup method to the Authenticator App. You have to specifically enable it, and can disable it at any time. It is recommended to use it only when you have lost access to your Authenticator App.

Can I still get an SMS code if my mobile phone doesn’t have data reception?

No.

Are the SMS codes based on Time-based One-Time Password algorithm (TOTP) like Authenticator app?

No, the 6 digit codes delivered by SMS are just random digits.

For how long can I use the 6 digit code received by SMS?

The 6 digit code can only be used once and it expires after 5 minutes, counting down from when the SMS was sent to your phone. Depending on SMS delivery times, you will have less than 5 minutes remaining when SMS is received at your phone.

What if I lose my one-time emergency code?

If you lost the one-time emergency code and forgot to store it safely upon activation as instructed, you must contact your local customer support who can re-generate one for you.