Multi-factor authentication (MFA) troubleshooting

Alerts and notices

Overview

Use this article to troubleshoot multi-factor authentication (MFA) issues with your account, your device, or your software. Before following any instructions listed here, find out which account type you have:

Lost or new device does not recognize MFA

If you lose, replace, or reset your MFA device you will lose the MFA pairing previously enabled for your account. If you have a backup MFA option enabled, see Remove MFA devices from an account  to remove or add a new device .  Otherwise,  your firm administrator can generate a temporary access code for your account.

If your admin account is inaccessible and another admin is not available, contact Support at 800.968.0600 for assistance.

Thomson Reuters ID administrators

  1. Visit the My Account page on our website and log in to your Thomson Reuters ID administrator account.
  2. Click the Manage Accounts link under the My Firm heading.
  3. On the Manage Accounts page, locate the row for the desired staff member and click Modify.
  4. Scroll down to the bottom of the page for the selected staff member and click the Get Temp 24hr Code button. The page will refresh and display the generated numerical code in a field directly below this button.
  5. Provide the generated code to the affected staff member. They can use this code by clicking the Enter a code link on the application login screen.

NetStaff CS administrators

  1. Log in to your NetStaff CS account.
  2. In the Admin tab of the navigation pane, do one of the following.
    • Click the Users link in the NetClient CS section to generate a code for a client.
    • Click the Users link in the NetStaff CS section to generate a code for a staff member.

    Note: If you don't see these links, you don't have access to these areas.

  3. Select the user.
  4. In the Identification section, click the View Settings button next to Multi-factor Authentication.
  5. In the dialog that opens, click the link to generate a temporary, 24-hour numerical code.
  6. Provide the code to the user. They can use this code by clicking the Enter a code link on the application login screen.

MFA Setup issues

Use the links below to learn more about specific issues you may encounter after setup.

This error message can occur on our website when you try to enable MFA for your Thomson Reuters ID. Try the following:
  1. Close your browser, visit tax.tr.com and click Log in on the top right corner. Click Sign in under "CS Professional Suite, Onvio" and log in using your Thomson Reuters ID. When prompted to setup MFA, click Set Up Now to launch the setup wizard and pair your device.
  2. Clear your browser's cookies and cache by  deleting temporary internet files or cached files.
  3. After clearing your browser's cache,  update the password associated with your account.
  4. Using your new password, sign in to your account and complete the steps in  Multi-factor authentication setup.
  5. If the MFA prompt is not available on the sign in page, complete the MFA setup steps using a different web browser or  Google Chrome in Incognito mode. This allows you to open a session of Chrome without recorded activity or history. If you snoozed the MFA prompt, a different browser or incognito mode allows the MFA setup message to appear again.

If these steps do not resolve the issue  contact support for further assistance.

Support: Complete the following steps if the customer is unsuccessful with clearing the error on their own:

  1. Confirm the user completed the steps above and after signing in to our website receives no MFA prompt.
  2. Open EMS, Ctrl+F, enter the user's e-mail address in the e-mail address field, check the Include Archived Firms and Search Firms boxes then click Search. If two or more accounts are found, see the CS Resolver, do not transfer.
  3. If issues persist, see Troubleshooting Thomson Reuters ID and authentication errors.

This message can appear if the device is disconnected from the internet or has an incorrect time setting.

  1. Check for issues with your device's current internet connection. To do so, visit any public website, such as reuters.com and verify the page opens. While scanning the QR code, if the code failed to generate over your cellular service, connect to a Wi-Fi network and try again. If the QR code failed to scan over a Wi-Fi connection, try turning off Wi-Fi and try again via your cellular network. 
  2. Check the time calibration on your device. Visit  http://time.is using the browser on your device and calibrate your device time to match the reported time.

This issue can occur after an attempt to scan a QR code fails while pairing your mobile app with your login credentials. Your mobile device successfully scans the QR code, but may be unable to communicate the successful scan back to the setup wizard on your desktop. You may resolve this error by confirming your device meets the mobile app's system requirements and verifying your device's Internet connection and clock settings. To do so, complete the following steps.

  1. Verify that your device's operating system meets the requirements for the mobile app. Android OS requires 4.1 and up - this can be found in the Additional Information section on Google Play. Compatibility with iOS requires 8.0 or later - this can be found under Compatibility on the App Store. If you authenticate your login credentials via a wearable device, such as a smartwatch, review the system requirements for your wearable device as well.
  2. Check for issues with your device's current internet connection. To do so, visit any public website, such as reuters.com and verify the page opens. While scanning the QR code, if the code failed to generate over your cellular service, connect to a Wi-Fi network and try again. If the QR code failed to scan over a Wi-Fi connection, try turning off Wi-Fi and try again via your cellular network. 
  3. Check the time calibration on your device. Visit  http://time.is using the browser on your device and calibrate your device time to match the reported time.

    Notes

    • The time shown on the computer used in this process must match the time shown on the MFA device.
    • Many devices have an option to sync with the time provided by the cellular or wireless network. To prevent time calibration issues in the future, activate “Use network provided time" on your device. Seek assistance managing device settings from the device manufacturer or operating system support to determine if this setting is available on your device and how to enable it.

This error can occur when the Thomson Reuters Authenticator mobile app has not been granted use of the camera on your mobile device, preventing the camera from reading the QR code you receive. To resolve this issue, give the mobile app access to use your mobile device's camera.

Note: If you did not grant the Authenticator app use of the camera during initial setup of the mobile app, seek assistance managing device permission settings from the device manufacturer or operating system support.

Login issues after MFA setup

Use the links below to learn more about specific issues you may encounter after setup.

Once you enable MFA and pair your device, an approval request is sent to the paired device when attempting to sign in. If you do not receive a request on your device, complete the following steps:

  1. Confirm your computer and your MFA device have an internet connection. If unable to connect to the internet, use the Enter a code option when signing in on the website or software and enter the MFA code generated by your device.
  2. Confirm the Authenticator app has permissions to use push notifications on the device.

    Note: Seek assistance for push notification management settings from the device manufacturer or operating system support. In order to sign-in in absence of push notifications, see Using the Authenticator app to sign in when your device does not have an internet connection.

  3. In the Authenticator app, if there is a Scan Code button or if your account is not listed, you have not paired this device to your account. To resolve this issue, you must pair a device, obtain a 24-hour code, or disable MFA for your account. See Multi-factor authentication setup for instructions.

    Note: This is generally a result of pairing your device, uninstalling the application and reinstalling the app again. When you uninstall the app, pairing information is lost.

If you are trying to log in to your application and are do not receive an MFA prompt on your device, do the following:

    • Confirm your computer has an internet connection. The CS Professional Suite applications will not prompt for MFA if they cannot connect to the internet. This allows you to sign in to your application using an MFA enabled account when an internet connection is not available.
    • Verify that MFA is set up for your login credentials. See the Pair your MFA device to your account steps in MFA Setup for instructions.

If a firm's login screen calls for an Onvio TRID and they are no longer licensed for Onvio, there are Onvio licenses that linger in their system. In order to remove the Onvio TRID login screen, rename the Onvio licenses.

If the firm still has valid Onvio licenses in Flash or EMS, put them in touch with Onvio support for assistance setting up or maintaining Onvio accounts.

Location License filename
WinCSI\Licenses\ ddxname.dat
WinCSI\Licenses\utYY\ iYdxname.dat

This can happen when the approval sent from your phone is interrupted before it reaches the website or application. To determine where interruption is, generate a code using the Authenticator app and attempt to sign in using the code.

  • If you cannot complete the sign in process using the code, complete the following steps:
    1. Check the time calibration on your device. Visit  http://time.is using the browser on your device and calibrate your device time to match the reported time.
    2. Setup firewall exceptions for CS Connect and CS Security completing the steps in Firewall guidelines for CS Professional Suite applications.
    3. Configure Windows settings for Internet Explorer.
  • If you can complete the sign in process using the code, complete the following steps:
    1. Confirm your device has an internet connection.
    2. Switching from WiFi to cellular data can help determine if there is an issue with the mobile device's connection.
    3. Apply any pending device OS updates.
    4. If the device has its own security application, that may also impede communication.

Note: Seek assistance from the device manufacturer or operating system support if issues persist with the device completing the authentication process.

When you install and setup your MFA app for the first time you receive prompts to enable fingerprint scan, facial recognition, or a passcode, even if you have not configured these features on your device.

If you have enabled fingerprint scanning or facial recognition and do not wish to use this feature, you will have to configure your device first. Set up on your devices' additional security features before continuing. Once enabled security features are setup on the device, you will be able to approve sign in attempts or disable the additional security features.

To disable additional security features in the Authenticator app, complete the following steps:

  1. Tap Settings.
  2. Toggle off the option for fingerprint scanning, facial recognition or passcode.
  3. Verify the request by completing the fingerprint scan, facial recognition or entering the passcode when prompted.
Notes:

If you have additional security enabled for the Thomson Reuters Authenticator, you won't be able to approve the MFA prompts using your Apple Watch.

In the Thomson Reuters Authenticator app, tap the gear icon and turn off the Security option.

If you enter a passcode to access your phone, or use your fingerprint or Face ID, the information in the Thomson Reuters Authenticator app is secured. If you do not use one of these methods to unlock your phone, you can enable this level of security just for the Thomson Reuters Authenticator app in the settings menu (gear icon).

Note: If you still cannot approve requests, make sure you have the latest updates for both your phone and your watch. You can also reboot both devices to re-connect them together.

Apple iOS version 11.0 introduced a function called Offload Unused Apps. If this function is enabled, the Thomson Reuters Authenticator app may be uninstalled/offloaded if it has not been used after a while. This will cause the approval to not work properly. To fix this, reinstall the Thomson Reuters Authenticator app by choosing the icon on the device's homepage and attempt to sign in again.

There are a couple of things to check to resolve this problem:

  • Make sure that UltraTax CS is on the latest version. If you're using UltraTax CS on Virtual Office or SaaS, you always have the most recent updates.
  • Check your Internet Explorer settings.
    • Verify that your version of Internet Explorer is supported.
    • Verify that Internet Explorer is fully updated.
    • Choose Tools > Internet Options > Advanced Settings. In the Security section, mark the boxes for TLS 1.0, TLS 1.1, and TLS 1.2.
  • Check your firewall settings, or ask your certified IT professional to check them for you.

Was this article helpful?

Thank you for the feedback!

Internal notes


Additional internal troubleshooting steps

This issue stems from a few causes. To work through the situation, complete the following steps:

  1. Close UltraTax CS and browse to WinCSI\utYYsys and locate the file _Yusumsc.windowsusername where YY it the last two digits and Y last digit of the year of the program. Rename the file, adding .old after the Windows Username.
  2. Ask if the user has the same login for both their NetStaff and Thomson Reuters ID accounts.
  3. Enable MFA on both the NetStaff and Thomson Reuters ID account (and Onvio, if applicable).  Do not skip this step.
  4. Change the login name used for the NetStaff account so it is not the same as the Thomson Reuters ID. See  changing NetStaff login for more information.
  5. Reset the NetStaff password.

To work through the situation, complete the following steps:

  1. Ask if the user has the same login for both their NetStaff and Thomson Reuters ID accounts.
  2. Enable MFA on both the NetStaff and Thomson Reuters ID account (and Onvio, if applicable).  Do not skip this step.
  3. Change the login name used for the NetStaff account so it is not the same as the Thomson Reuters ID. See  changing NetStaff login for more information.
  4. Reset the NetStaff password.

These types of errors are generated by the device's manufacturer and can affect all apps installed on the device. These are not Thomson Reuters' errors. The Thomson Reuters Authenticator app does not have an online requirement or license requirement. Some devices will occasionally need to be connected to the internet to update and allow access to applications. If a user reports this error, try the following:

  • have the user try to restart the device.
  • have the user try to connect the device to the internet.

If those items do not work, have the user contact the device's manufacturer or IT professional.

In order to remove the Onvio TRID login screen, rename the Onvio licenses.

If the firm still has valid Onvio licenses in Flash or EMS, put them in touch with Onvio support for assistance setting up or maintaining Onvio accounts.

Location License filename
WinCSI\Licenses\ ddxname.dat
WinCSI\Licenses\utYY\ iYdxname.dat