Skip to main content

Find the answers you need

Personio is updating its roles and permissions experience. What you see here may differ from what you see in your account. Read more about the transition to the new experience.

Set up login with Personio Credentials and two-factor authentication

This article explains how to set up Personio Credentials (email and password) as your organization's login method. With this method, employees log in to Personio with their email address and Personio-managed password. Personio Credentials is the default login method for Personio, but there are other login methods available too.

This article also explains how to enable two-factor authentication (2FA) for all employees or specific employee roles. Enabling 2FA adds an extra layer of security to prevent unauthorized access. Note that 2FA only applies to email and password login, as described in this article. It doesn't apply if your employees use single sign-on (SSO) to log in.

Before you start

  • To set up email and password login for your organization, you need the following permissions:
    • An Administrator role in Personio, or 
    • An employee role with edit permissions for Account configuration > Authentication.
  • If you're enabling 2FA for a custom role, you need to create the employee role before you can enable 2FA. Preset roles like Administrator are already available.

Set up Personio Credentials (email and password) login

To set up email and password login for your employees, follow these steps:

  1. Go to Settings
  2. In the Security & integrations section, click Security & authentication
  3. From the list of login methods, enable Personio Credentials.
  4. Recommended: Next to Password and 2FA security settings, click Manage.
  5. Enable the password expiration policy. This requires all employees to change their Personio password every 90 days. When you turn on this setting:
    • Employees see a recommendation to change passwords older than 80 days when they log in.
    • Employees need to change passwords older than 90 days when they log in.
  6. Enable 2FA, as described in the section below.

Enable 2FA

Enable 2FA for all employees or certain employee roles

You can enable 2FA to better protect the data stored in Personio. 2FA adds an extra layer of security to prevent unauthorized access. 

You can enable 2FA for any employee role in Personio. When 2FA is active, every employee in that role needs to complete two steps to log in:

  1. Enter their email address and password.
  2. Enter a code generated on their mobile device or one sent to their email.

To enable 2FA, follow these steps:

  1. Go to Settings.
  2. In the Security & integrations section, click Security & authentication.
  3. Under Personio Credentials, click to manage password and 2FA settings.
  4. In the Two-factor authentication (2FA) section, click the dropdown menu. 
  5. Select the checkbox at the top for All employees or for each employee role that requires 2FA.
  6. Save your changes.

Learn how your employees can set up and start using 2FA.

Tip:
You can turn on 2FA for specific employees within a role (for example, power users). To do this, create a role without any extra permissions. Then, add those employees to this role and enable 2FA for that role.

Enable 2FA for Administrators

Administrator accounts have full access to all data and settings in Personio. Requiring 2FA for Administrators reduces the risk of unauthorized access to sensitive employee data.

To enable 2FA for Administrators:

  1. Go to Settings.
  2. In the Security & integrations section, click Security & authentication.
  3. Under Personio Credentials, click to manage password and 2FA settings.
  4. In the Two-factor authentication (2FA) section, click the dropdown menu and select the checkbox next to Administrator.

Reset 2FA for an employee

When an employee loses access to their authenticator app, you can reset their 2FA setup. This is useful when employees lose their phone, switch to a new authenticator app, or can't access their codes.

Resetting disconnects their current authenticator app. They need to set up 2FA again the next time they log in.

To reset 2FA for an employee:

  1. Go to the employee's profile.
  2. Click the three-dots icon in the top right.
  3. Click Manage account.
  4. Reset the 2FA.

Give employees permission to reset their own 2FA

You can give employees permission to reset their own 2FA. To set this up:

  1. Go to Settings.
  2. In the People section, click Roles & permissions.
  3. Select the role.
  4. Click Permissions.
  5. In Manage accounts > Manage accounts, select Edit access for Own.

Employees can then reset their 2FA from their profile.


 

Help us improve. Is this page helpful?