How Sona's authentication methods work, which to choose for different employee types, and what to do when access goes wrong.
Applies to: Admin
Jump to a section:
- The two standard authentication methods
- Critical rule: which method works where
- How to choose the right method
- How to configure authentication for an individual employee
- How employees log in using each method
- How to change an employee's authentication method
- What to do when an employee loses access
- SSO (Single Sign-On): Microsoft, Okta
- Kiosk mode: a separate access type
- Security considerations
- How authentication affects password reset
The two standard authentication methods
Sona has two standard ways for employees to log in:
Mobile number login (SMS OTP)
The employee enters their mobile number and an organisation code in the app. Sona sends a one-time passcode (OTP) by SMS to that number. The employee enters the code to gain access. No password is needed. The SMS is sent fresh each time the employee logs in.
Email login
The employee enters their email address and a password to log in. This is a traditional username/password flow, accessible via the Sona web portal.
In addition to these two, Sona supports SSO (Single Sign-On via Microsoft, Okta) for organisations with enterprise identity management. SSO is covered separately below.
Critical rule: which method works where
This is the most important thing to understand about Sona authentication, and the single most common source of access issues:
| Method | Mobile app | Web portal (browser) |
|---|---|---|
| Mobile number (SMS OTP) | ✅ Works | ❌ Does not work |
| ❌ Does not work | ✅ Works | |
| SSO (Microsoft / Okta / ADFS) | ✅ Works | ✅ Works |
| Kiosk | ✅ App only | ❌ Does not work |
An employee set up with only email authentication cannot log into the Sona mobile app. If they try, they will be taken to the phone number screen but will not be able to proceed without a valid mobile number authentication set up.
An employee set up with only mobile number authentication cannot log in via a desktop web browser. They must use the app.
This means: for any employee who needs to use the Sona mobile app (which is the vast majority of frontline staff), you must use mobile number login or SSO. Email-only authentication is only appropriate for staff who will always access Sona via a desktop web browser and never need the app.
How to choose the right method
Use mobile number login for:
- Frontline / hourly employees who access Sona via the mobile app
- Care workers, hospitality staff, retail staff — any role where the primary interface is the app
- Employees who do not have a work email address
- Employees who are likely to lose access to a corporate email but will keep their personal mobile number
Use email login for:
- Office-based staff who will only ever access Sona via a desktop browser (admin portal)
- HR, finance, or payroll users who only need the web interface
- Users without a personal mobile number who have a stable email address
- Cases where your IT policy requires password-based authentication rather than SMS
Use SSO for:
- Organisations with Microsoft Azure AD or Okta where employees already have single sign-on credentials
- Environments where employees should use their corporate identity to access all systems
- Cases where both mobile app and web access are needed with a consistent login experience
- Highly regulated environments where centralised identity management is required
Most care, hospitality, and other frontline organisations use mobile number login for the majority of their workforce. The SMS OTP approach removes the friction of forgotten passwords and works well for employees who may not have or regularly access a work email address.
How to configure authentication for an individual employee
- Go to Employees in the admin portal and open the employee's record.
- Navigate to the Login Credentials section.
- Click Add login credential
- Click below the existing login credentials( if there are any) to add a new login credential
- Choose the authentication method:
- For mobile number: enter the employee's mobile number in international format (e.g. +44 followed by the number without the leading 0). The number must be unique — no two employees can share a mobile number for login.
- For email: enter the employee's email address. The address must be unique across the organisation.
- For SSO: select the SSO provider (Microsoft / Okta) and enter the employee's SSO email or identifier.
- Save.
The employee can now log in. For mobile number login, they will need the organisation code to enter on the login screen of the app. This code is fixed for your organisation and will likely already be known. If not, ask your Sona Administrators, or your Sona Customer Success Manager.
The organisation code is what employees enter first when opening the Sona app. It identifies which organisation they belong to before they enter their mobile number or SSO credentials.
How employees log in using each method
Mobile number login (app):
- Open the Sona app.
- Enter the organisation code.
- Enter mobile number.
- Receive SMS with one-time passcode.
- Enter the code.
- Access granted. The session stays active; the employee does not need to log in again on the same device unless they log out.
Email login (web portal):
- Go to the Sona web portal URL (app.sona.is or your organisation's custom URL).
- Enter email address and password.
- Access granted.
Password reset for email login: the employee can request a password reset email from the login screen. A reset link is sent to their registered email address. See How authentication affects password reset below.
SSO login:
- Open the Sona app or go to the web portal.
- Enter the organisation code (app) or select the SSO login option (web).
- Redirected to the organisation's identity provider (Microsoft / Okta).
- Authenticate with corporate credentials.
- Access granted.
How to change an employee's authentication method
You can change an employee's authentication method at any time from the Login Credentials section of their employee record.
To switch from mobile number to email (or vice versa):
- Open the employee's record and go to Login Credentials.
- Remove or deactivate the existing authentication method.
- Add the new authentication method with the relevant credential.
- Save.
Important: the employee will lose access immediately when the old credential is removed. Ensure the new credential is added and confirmed before communicating the change to the employee.
To add a second authentication method: an employee can have more than one authentication method configured simultaneously. For example, you could add both mobile number and email login, which would allow them to log in either way. This is useful for managers who need both app access (mobile) and desktop access (email/SSO).
Syncing the contact mobile number with the auth strategy: in Sona, the contact mobile number field on the employee record and the mobile authentication credential are linked. If a manager updates the contact mobile number on an employee's record (and has the appropriate permissions), this will also update the mobile authentication credential. Be careful when updating mobile numbers — an incorrect update can lock the employee out.
What to do when an employee loses access
Employee changed their mobile number:
- Go to the employee's record in the admin portal.
- Navigate to Login Credentials.
- Update the mobile number to their new number.
- The employee can now log in with the new number.
If you update the contact mobile number field (not Login Credentials), confirm whether this also updates the auth credential — the sync behaviour depends on which field is updated and the manager's permissions. When in doubt, update Login Credentials directly.
Employee no longer has access to their registered email:
- Go to the employee's record.
- Navigate to Login Credentials.
- Update the email address to their new address.
- If the employee has forgotten their password, use the Reset Password option to send a new reset link to the updated address.
Employee locked out entirely (cannot receive SMS, no email access):
Contact Sona Support with the employee's name and the situation. The support team can manually reset or update the authentication credential if needed.
Employee on SSO has been removed from the identity provider:
If an employee leaves the organisation and is deprovisioned from your Microsoft or Okta tenant, they will automatically lose access to Sona (Some organisations choose to allow fallback to email, in which case the email login credential would also need to be removed). No separate action is required in Sona unless you also want to terminate their employment record.
SSO (Single Sign-On): Microsoft, Okta
SSO allows employees to log in to Sona using their existing corporate credentials. Once configured at the organisation level (which is done during implementation by Sona), individual employees are configured by adding an SSO auth strategy on their Login Credentials page.
SSO works for both the mobile app and the web portal — unlike email-only login which is restricted to the web. This makes SSO the best of both worlds for organisations whose staff need both interfaces.
Note: Sona must complete a setup process for each SSO provider at the organisation level. Customers cannot configure SSO themselves — it requires a setup task from the Sona implementation or support team. Contact Sona Support to initiate SSO setup if it has not already been done.
Kiosk mode: a separate access type
Kiosk mode is a separate access type, not an authentication method for individual employee logins. Kiosk mode allows a shared device (such as a tablet at a care home entrance) to be set up so that employees can clock in and out using a short PIN code, without each employee needing to log in and out of the app individually.
Kiosk access is configured at the device level, not the employee level. It only works in the Sona app (not the web browser). Employees use their assigned kiosk PIN code to clock in/out — they do not use their main login credentials on a kiosk device.
Security considerations
Mobile number login security: SMS OTP is generally considered adequate security for frontline worker access. One-time passcodes expire quickly and cannot be reused. The main risk is SIM swapping or a lost/stolen phone — if an employee reports their phone lost, updating their authentication mobile number promptly removes the risk of unauthorised access.
Email login security: email login requires a password, which introduces the risk of weak passwords or reuse of credentials from other services. For admin-level users who have email login, strong passwords and ideally SSO are recommended.
Shared mobile numbers: Sona requires each mobile number to be unique per employee. Employees cannot share a login credential. If two employees share a phone (which is sometimes the case in care environments), each needs their own unique number configured, or kiosk mode should be used for shared device clock-in.
Restricting admin access: admins and managers who have high-level permission roles should use SSO or email login rather than SMS OTP where possible. SSO in particular allows central management of access — deprovisioning a user from your identity provider immediately removes their Sona access.
Employees changing their own mobile number: if your organisation allows employees to update their own contact details via the app (Personal Settings), be aware that this may also update their authentication mobile number, depending on your configuration. Consider whether this level of self-service is appropriate for your security posture.
How authentication affects password reset
Mobile number login: there is no password to reset. The employee always receives a fresh SMS OTP each time they log in. If an employee cannot receive the OTP (e.g. wrong number registered), an admin updates their mobile number in Login Credentials.
Email login: employees can reset their own password from the web login screen by clicking "Forgot password" and entering their email address. A reset link is sent to that address as long as it is a valid login credential. If the employee no longer has access to the registered email address, an admin must update the email in Login Credentials before the employee can receive the reset link.
SSO: password management is handled entirely by the organisation's identity provider (Microsoft / Okta). Employees reset their password through their corporate IT process. Sona has no visibility of or control over SSO credentials.
Frequently Asked Questions
Q: An employee says they can't log in on their phone. Their record shows email login is set up. What do I do?
Email login only works on the web portal — it cannot be used in the mobile app. Change their authentication method to mobile number login in the Login Credentials section, ensure their mobile number is entered, and ask them to log in using the Sona app with their mobile number and the organisation code.
Q: Can one employee have both email and mobile login?
Yes. You can configure both methods simultaneously on the same employee record. The employee can then log in via either method.
Q: What is the organisation code and where do I find it?
The organisation code is a short identifier that employees enter on the first screen of the Sona app to identify which organisation they belong to. It is unique to your organisation and is the same for all employees. It is commonly already known by your Sona Administrators. If not, you can contact your Sona Customer Success Manager or the Sona support team.
Q: An employee has left and returned. Do I need to set up their login credentials again?
If the employee was terminated in Sona and a new employment period has been created for their rehire, check whether their Login Credentials are still in place. In most cases the credential persists — the employee may be able to log in immediately once the new employment period is active. Confirm this before their start date to avoid access delays.
Q: We have employees who work across two organisations in Sona. Can they use the same login?
For mobile number login, the same mobile number can be used across different Sona organisations. Logging in works by entering the organisation's unique company code and then the mobile number — so the employee logs in to each organisation separately by using the relevant company code each time. They cannot view data from both organisations within a single login session; they need to log out and log back in with the other company code to switch between them.
Note that two employees within the same organisation cannot share a mobile number — it must be unique per employee within each organisation.
For email login or SSO, separate credentials are typically needed per organisation unless your SSO provider is configured to cover both.
Still need help?
Contact Sona Support with the employee's name, the authentication method they are trying to use, the device or browser they are using, and a description of the error or issue.