Why MFA? We were so used to logging in and having our browser remember us

Multi-Factor Authentication (MFA) adds an extra layer of security by verifying your identity when logging in. While saved passwords may seem convenient, MFA significantly reduces the risk of unauthorised access — especially for shared or sensitive accounts.

You can still choose to “remember this device” after verifying, which stores a secure trust token to reduce how often MFA is required. However, certain conditions can reset that trust (see below).

I'm not receiving my verification code

If you’re not seeing the verification code in your inbox, please:

  • Check your spam or junk folder

  • Ensure the email address on file is correct and accessible

  • Avoid using a shared mailbox — MFA may not work reliably. We recommend unique user email addresses

  • Codes are sent via email only, and are valid for 30 minutes

If you're still not receiving the code, please contact our support team with your username and the time you attempted to log in so we can assist.

Is “remember location” based on IP address or device?

No — trusted device logic does not use your IP address.

The “Remember this device” function uses a cookie stored in your current browser to identify trusted logins. The system doesn’t track or validate by IP, but if the token is missing or invalid, MFA will be required again.

You may be prompted for MFA again if:

  • You log in using private/incognito mode

  • Cookies or site data are cleared (manually or automatically)

  • You use a different browser or browser profile

  • You're using ad-blocking or privacy extensions

  • You're on a corporate machine that clears browser data

  • Your organisation uses rotating IPs/VPNs (IP does not matter, but VPN tools may also wipe cookies)

Tips to reduce repeated MFA prompts

On the affected device:

  • Use a normal browser window (not incognito/private mode)

  • Allow cookies for https://www.bookeasy.com.au/

  • Ensure your browser is not set to clear cookies on exit

  • Temporarily disable privacy/ad-blocking extensions

  • Confirm you're using the same browser and profile each time

  • If you’re on a managed device, check with IT if security policies wipe cookies or storage between sessions

Can we get verification codes sent to mobile instead of email?

Currently, verification codes are only sent via email. We understand SMS or app-based MFA can be more flexible, and this may be considered in future updates.

For now, please ensure:

  • Each user has a unique, accessible email address

  • Shared inboxes are avoided for best results

Can we turn off the 90-day password expiry?

No — the 90-day password expiry is a system-wide security setting. It cannot be disabled for individual users or consoles. We understand this may be a shift, but it’s part of our commitment to protecting user accounts.

Users will be prompted to update their password after 90 days via the MFA process.

Why do I keep getting MFA prompts even after selecting “Remember this device”?

This is usually due to:

  • Cleared cookies or cache

  • Logging in using a different browser or profile

  • Private browsing/incognito mode

  • Device security tools that reset browser data

  • Ad-blocking or privacy extensions blocking local storage

Remember: trust is per-browser, per-user — not per device or IP. If anything disrupts the browser’s local storage, you’ll be asked to verify again.

Can we change a username?

Yes — we can update usernames. Please contact our support team with the current username and the preferred new one. We’ll take care of the change and confirm once complete.

Why is the system not accepting the new password I’m entering?

If your new password isn’t being accepted, it may be due to:

  • Not meeting the required complexity (minimum 12+ characters, mix of uppercase, lowercase, numbers, symbols)

  • Reusing a recent password

  • Using auto-fill with an older password

We recommend typing in a brand-new password manually. If you’re still having trouble, contact us for help.

Can we disable MFA for shared or kiosk-style staff accounts?

MFA is required for all users, including shared or kiosk logins.
However, we strongly recommend individual logins and unique email addresses for each staff member. Shared access may cause frequent MFA prompts or verification issues.

Help us troubleshoot — what to send

If you're experiencing frequent or unusual MFA prompts, please provide:

  • Username

  • Device type and browser used

  • Date & time of the prompt

  • Whether private browsing was used

  • Whether cookies or cache were recently cleared

  • Whether the device or browser is shared with others

  • Whether any VPN or security tools are in place

This helps us identify the root cause more quickly.