OwnerRez requires that all user accounts (both master logins and team access (staff member) logins) use two-factor authentication to ensure that their account is secure.
- What is Two-Factor Authentication?
- Enabling Two-Factor Authentication
- Requiring Your Team to Use It
- Common Issues & Questions
- Do I have to do this every time I log in?
- Can I turn it off? I don't like this.
- Staff/team users can't see the Safeguards page
- Can I get my verification code via a text (SMS) on my phone?
- I set up my two-factor authentication using a mobile authenticator app but never received my verification code.
- Can we have more than one user use an authenticator app on multiple devices?
- Everything was working fine and now I can't log in.
- Why do I have to do the two-factor authentication process every time I log in?
What is Two-Factor Authentication?
Over the past decade, after many high-profile and widespread major data breaches occurred on the internet (via phishing, etc.), many people have come to understand more about password security and the fact that a password alone can't keep their online profiles safe. That has led to the rise in the popularity of two-factor authentication, an additional layer of security that helps keep online accounts secure.
Two-factor authentication is an extra layer of security used to ensure that people trying to gain access to an online account are who they say they are. First, a user will enter their username and password. Then, instead of immediately gaining access, they will be required to provide another piece of information. This "second factor" could come from one of the following categories:
- Something you know: This could be a password, PIN, answers to "secret questions," or a specific keystroke pattern
- Something you have: Typically, a user would have something in their possession, like a credit card, a smartphone, or a small hardware token
- Something you are: This category is a little more advanced and might include a biometric pattern of a fingerprint, an iris scan, or a voice print
With two-factor authentication, a potential compromise of just one of these factors won't unlock the account. So, the chances of someone else having your second-factor verification information are improbable even if your password is stolen or your phone is lost.
Looking at it from another angle, if an OwnerRez user uses two-factor authentication correctly, our website and app can be more confident of the user's identity and unlock the account.
Regarding the categories above, OwnerRez uses "something you know" and "something you have" as our two factors.
Enabling Two-Factor Authentication
OwnerRez supports two primary methods of two-factor authentication: email and authenticator app. By default, email authentication is the method enabled when you first turn on two-factor authentication, but you can easily switch to the authenticator app method.
All new users (i.e., users that joined after this feature was put in place) will already have email-based authentication in your account, and there is no way to turn it off. But rest assured, enabling and using two-factor authentication is very easy, and you'll be glad it's in place. When historical users first enable the setting, the email method will be automatically turned on. Still, you can upgrade your account to the mobile authenticator app-based method to gain a higher level of security.
You can only use one method - email or authenticator app - not both simultaneously. Email is the method users will start with by default. When you switch to the authenticator app method, the email method will automatically turn off. When logging in, there is no way to select "email or authenticator app" on the fly. You can only use the authenticator app or email option, not both simultaneously.
To get started, head to the My Account area and click on Safeguards.
By Email
1. By default, OwnerRez accounts are configured to use 2FA via email. To see this, from the top My Account menu, find and select the Safeguards option.
2. You will see that Two-Factor Authentication is turned on with "Required" next to it. Below, it will show both Email and Authenticator App as the two-factor verification methods, and the Email method is enabled by default.
4. When you log in for the first time or change devices, you'll see a verification screen that stops you and asks for a verification code.
You have 300 seconds (5 minutes) to enter the code before it times out. No worries if it does time out - you can request the code again. Simply click the "Send Verification Email Again" button, and the page will reset.
5. To find the Verification Code, go to your email and look for a new message from OwnerRez that includes a code. Note that you may need to check your spam folder to find this message.
6. Copy and paste that code into the Verification Code field and click the "Verify" button.
That's it! If the code is correct (and hasn't expired), you're good to go and will get right in. If it's been too long or the code is bad, OwnerRez will email you another one.
You'll be able to log in to OwnerRez without entering a verification code for 28 days, unless you clear your cookies or log in with a new user account. The verification process only occurs on unknown devices the first time you log in to that device or if it's been over 28 days since you last verified.
By Mobile Authenticator App
1. Using a mobile authenticator app can only be done after you have authenticated with the email method first.
2. Once two-factor authentication by email is completed, go back to the Safeguards page and click the "Enable" button next to the App method.
3. A window will open asking you to scan a QR code. You will do this with the authenticator app of your choice.
If you're wondering what authenticator app we work with, the answer is all of them! Authy, Google, LastPass, Microsoft, and so on. Most authenticator apps follow a public specification about how to decode and use the QR code information.
4. Once you scan the QR code, the app will ask you to confirm the nickname or account name, which you can do however you want. You might put "OwnerRez: [my email]" in that space to remind you which one it is. Most authenticator apps will prefill this for you.
5. After the app has added your new account, it will show you a code - that will change every 30 seconds. Copy that code into the Verification Code box in OwnerRez underneath where you saw the QR code. Click "Save."
NOTE: Don't leave this screen before you enter the verification code; otherwise, you'll need to start again at step 4 to add a valid account to your authenticator app, as the code being generated won't match the key required (and you should remove your other account first to not confuse it with the new valid one you need to add).
6. If the verification code works, the page will reload, and you'll see that app-based authentication is now enabled.
You'll also notice that the email method is hidden. This is because the app-based method is more secure and easier to use, and there is no need for email if you have the app method turned on. For that reason, once the authenticator app is enabled, email is only available as a bypass method if users select it during log-in.
There may be situations where users do not have immediate access to their authenticator app.
If you are attempting to log into a device and do not have access to your Authenticator App to enter your authentication code. Simply click on the bottom "Try verifying by email instead" link.
And users will have a Verification Code sent by email instead of relying on their Authenticator App.
Requiring Your Team to Use It
OwnerRez offers a team access feature where you can invite staff members to use your OwnerRez account via their login. These accounts are also required to use two-factor authentication for their own personal logins. The system defaults to using email-based 2FA, but, each staff member has the option of choosing to use an authenticator app. The method they use (email, authenticator app) is displayed on the Team Access page that shows your staff invites.
Portal users (e.g., housekeepers and owners) cannot access the two-factor authentication settings. We may add it for portal users in the future, but it does not exist for those logins currently.
Common Issues & Questions
Do I have to do this every time I log in?
No. You will only be asked for a verification code the first time you log in to a new device (desktop, phone, tablet, etc.) or if it's been over 28 days since you last verified on that device. Also, if you clear the cookies on that device, OwnerRez will ask then, even if it's been less than 28 days.
Can I turn it off? I don't like this.
No, you cannot. Two-factor authentication is required for all users. Due to the success of OwnerRez and its growing customer base, our users are regularly targeted by phishing attacks. Attackers have tried to mine user data from OwnerRez by creating fake landing pages for users to enter their username/password into. By requiring two-factor authentication, we significantly increase the security of your account. Keep in mind the many important, private financial records that OwnerRez manages on your behalf. As with your online banking, it is essential that your OwnerRez account remains safe and protected. Two-factor authentication is straightforward to use and works flawlessly for all users.
Staff/team users can't see the Safeguards page
If you are logged in to the main account, you won't be able to access the Safeguards page for your own account. To get back to your own account, use the "Unimpersonate" button in the top-right corner to log back out of the main account into your own account.
Then you'll be able to access the Safeguards page for your own account.
Can I get my verification code via a text (SMS) on my phone?
No. Text (SMS) authentication is not currently an option. The only choice is email or an authenticator app.
I set up my two-factor authentication using a mobile authenticator app but never received my verification code.
It’s possible that your verification code was sent to an authenticator app but was sent to a native built-in app on your device rather than the authenticator app that you recently downloaded. Check your device settings to determine whether your device is using a native built-in authenticator app or another authenticator app that you downloaded.
- iOS
If you are using an iPhone, it is quite possible that your verification code was sent to the native built-in iOS authenticator app, Keychain. Need more help? Find, change, or delete saved passwords and passkeys on your iPhone or iPad or Mac.
iPhone users can check their authenticator app by navigating to Settings > Passwords.
Select Password Options.
Users will be able to determine which authenticator app is the current default but can also change the current default authenticator app as desired.
In this example, the user is currently using the Authy authenticator app for verification codes.
- Android
Unless an authenticator app was part of the device factory install, Android device apps are generally open source. Check your device settings to determine whether your device is using a native built-in authenticator app or another authenticator app that you downloaded.
Can we have more than one user use an authenticator app on multiple devices?
OwnerRez does not currently support adding the authenticator on multiple devices, nor is it recommended, for the following reasons.
- Enrolling two separate accounts is impossible because there is no way to access the initial QR code after the two-factor authentication app is configured, as the code only comes up before two-factor authentication registration.
- Users need to use the same authenticator app with the same login. One user can’t use Authy and the other Google.
While not recommended by OwnerRez, it is possible to install the same authenticator account on another user’s device and the verification code registration should appear in that authenticator account. This requires all users to do the two-factor authentication process together all at once at the same time to scan and use the same initial QR code.
Everything was working fine and now I can't log in.
Enabling your two-factor authentication can be tricky, especially if your inital verification code expires or if OwnerRez hasn't verified your login in a while. On the Two-Factor Authentication pop-up modal, users will see that their previous code has expired. Click on the button (as shown below) to have OR send you another verification email.
Why do I have to do the two-factor authentication process every time I log in?
You should only be asked for a verification code the first time you log in to a new device (desktop, phone, tablet, etc.) or if it's been over 28 days since you last verified on that device. However, if users have NOT enabled cookies for the OwnerRez website and/or progressive web app, they may be asked to complete the two-factor authentication process every time they log in.
OR recommends that users enable cookies for the OwnerRez website and/or progressive web app to avoid having to complete the two-factor authentication process every time they log in.