This guide will walk you through setting up your Karbon Client Portal and enabling Multi-Factor Authentication (MFA). Please note that if you choose to set up a Client Portal or are required to, you will need to set up a form of MFA. MFA enhances the security of your account by requiring you to verify your identity using two methods: something you know (your password) and something you have (such as a code sent to your phone, email, or generated by an authentication app).
Please review the guide below, and if you need assistance, feel free to reach out to support@karbonhq.com.
1. Accept the Invite:
When your accountant sends the invite, you will receive an email. Click the link or button in the email to accept their invite.
2. Create a New Account:
Select "Create a new account" to begin the setup process.
3. Sign In with Your Email:
Sign in using your email address. You will have the option to choose your email provider or manually enter your email address and login credentials.
4. Review and Agree to the Policies:
Before proceeding, please review and agree to the following policies:
Privacy Policy - Karbon's privacy policy explains what personal data they collect from users of their services (website, apps, platform), how they use it, and what rights users have regarding their data (access, correction, deletion, etc.). It also covers data transfers, cookies, and how users can control their information.
Terms of Use - Karbon's terms of use outline the rules and regulations for using their services. It covers user responsibilities, intellectual property rights, payment terms, dispute resolution (including arbitration), and limitations of liability.
5. Set Up Multi-Factor Authentication (MFA):
For added security, you will need to set up Multi-Factor Authentication (MFA). This process requires verifying your identity using something you know (your password) and something you have (such as a code sent to your phone, email, or generated by an authentication app).
Comparison of MFA Methods
MFA Method | Security | Convenience | Best Use Case |
Authenticator App | 🔒🔒🔒 Most Secure | ⚡ Moderate | Best for high-security accounts (e.g., banking, work) |
Phone (SMS) | 🔒 Moderate Security | ✅ Most Simple | Best for general accounts, but vulnerable to SIM-swaps |
🔒 Least Secure | ✅ Easiest Backup Method | Best as a secondary option or backup method |
1. MFA via Authenticator App
Authenticator apps provide a more secure way to verify your identity than SMS or email by generating time-based one-time passcodes (TOTP) that change every 30 seconds. These apps work offline and protect against phishing and SIM-swap attacks.
How It Works:
Log in to your account with your username and password.
Select the Authenticator App as your MFA method.
Scan a QR code or manually enter a setup key provided by the service.
The app generates a 6-digit time-based code that refreshes every 30 seconds.
Enter the code from the app into the website’s verification field.
Once verified, access to your account is granted.
Recommended Authenticator Apps
1. Microsoft Authenticator
📱 Platforms: iOS, Android
🔹 Best for: Microsoft users and general authentication
🔹 Supports: Push notifications, one-time passcodes (OTP), and passwordless login
2. Google Authenticator
📱 Platforms: iOS, Android
🔹 Best for: Simple, widely compatible MFA
🔹 Supports: One-time passcodes (OTP)
3. Authy
📱 Platforms: iOS, Android, Desktop (Windows, macOS, Linux)
🔹 Best for: Users needing multi-device support
🔹 Supports: One-time passcodes (OTP), cloud backups, and encrypted storage
4. 1Password Authenticator
📱 Platforms: iOS, Android, Windows, Mac
🔹 Best for: Those already using 1Password for password management
🔹 Supports: Integrated MFA within 1Password vault, easy autofill
5. LastPass Authenticator
📱 Platforms: iOS, Android
🔹 Best for: Users of LastPass password manager
🔹 Supports: Push notifications, one-time passcodes (OTP)
🔹 Cloud Backup: ✅ Yes (when using a LastPass account)
Setting up Your Authentication App
Download and install one of the recommended authenticator apps.
Log in to your client portal and navigate to the MFA Setup section.
Select Enable MFA and scan the QR code provided using your authenticator app.
Enter the verification code generated by the app to complete the setup.
Save your backup codes in a secure location in case you lose access to your authenticator.
Best Practices for Saving MFA Backup Codes
Backup codes are crucial in case you lose access to your authenticator app. Here are the best practices for storing them securely:
1. Store in a Password Manager (Recommended)
Use a trusted password manager like 1Password, LastPass, or Bitwarden to store your backup codes securely.
These tools encrypt your data and make it easy to retrieve your codes when needed.
2. Write Them Down & Store Securely
Write your backup codes on paper and store them in a safe place, such as:
A locked safe or fireproof document box.
A wallet (if you need quick access but with caution).
3. Save to an Encrypted Digital File
Store your codes in an encrypted text file, PDF, or secure note.
Use BitLocker (Windows), FileVault (Mac), or VeraCrypt to encrypt the file.
4. Print and Keep in a Secure Location
Print the codes and store them where you keep important documents (e.g., passport, birth certificate).
5. Do NOT Store in Unprotected Digital Formats
🚫 Avoid saving backup codes in:
Plain text files, emails, or unencrypted notes.
Screenshots stored in your gallery or cloud without encryption.
Shared locations like Google Drive or Dropbox unless encrypted.
2. MFA via Email
When using email for MFA, a one-time passcode (OTP) is sent to your registered email address. You must enter this code within a short time frame to verify your identity.
How It Works:
Log in to your account with your username and password.
Select Email Verification as your MFA method.
A 6-digit one-time passcode (OTP) is sent to your registered email address.
Open your email and retrieve the OTP.
Enter the OTP in the designated field to complete verification.
Best Practices for Email MFA:
✅ Use a secure, personal email (preferably with MFA enabled).
✅ Regularly check and update your recovery email address.
✅ Enable email encryption if available to prevent interception.
MFA via Phone (SMS)
Using your phone number for MFA provides an extra layer of security by requiring a one-time passcode (OTP) sent via SMS (text message) to verify your identity.
How It Works:
Log in to your account with your username and password.
Select Phone (SMS) as your MFA method.
A one-time passcode (OTP) is sent to your registered phone number via text.
Enter the OTP into the website’s verification field.
Once verified, access to your account is granted.
Need Help?
If you have any questions, check out our Karbon for Clients FAQ or contact your accountant for assistance.
If you're experiencing technical difficulties or something isn’t working as expected, please reach out to the Karbon Support team at support@karbonhq.com.
To help us assist you quickly, please include the following details in your email:
The firm or accountant you’re working with
Your name
A description of the issue, including any error messages, screenshots, or recordings (if possible)