About Multifactor Authentication
Multifactor Authentication (MFA) is an electronic authentication method in which a user is granted access to an application only after successfully presenting two or more types of evidence to verify their identity. In IAM, this evidence is “knowledge” (the user’s credentials) and “possession” (a mobile phone or land line that has been registered with the user’s IAM account). Prompting the user to verify their identity in this manner safeguards the user’s personal information in targeted security attacks because even if a user’s credentials are compromised, the malicious actor will still be required to provide the “possession” evidence in order to access IAM.
Anchored in modern technology, MFA provides organizations peace of mind for the overall security of their systems from unauthorized access to confidential and critical data while saving unexpected costs for security. The primary benefits of IAM MFA include:
- Reducing the risk of security breaches by providing multi-step authentication for accessing sensitive data
- Providing peace of mind for your employees by demonstrating your commitment to protecting their personal information
- Deploying MFA across your organization easily and without incurring additional costs
- MFA features are integrated directly into the IAM platform with no need to establish a relationship or contract with a third party
- Deployment by client administration and registration by end-users is fast and simple
- MFA is applied to IAM native authentication (IAM-specific credentials) users in the web application based on their current role(s), including support for Pre-Start new hire and Terminate roles
- During the authentication process, users can verify their identities using the following options:
- Using the Authy mobile app
- Text message or Voice call
Multifactor Authentication is enabled at the organization level. New organizations added to IAM will have MFA enabled automatically.
A new section called MFA Configuration has been added to the Organization Details page with the following options:
- Mutli Factor Authentication – enables multifactor authentication when selected and enables all MFA options on the page for selection
- Access IAM when MFA provider is unavailable – when selected, allows users to access IAM when the Authy service is unavailable to verify users
- Allow VOIP Phone Numbers – when selected, allows voice over IP telephone numbers to be used for multifactor authentication
- Days to Remember Users – A value from 0 to 30 is allowed. A value from 1 to 30 allows the user to login to IAM without verifying their identity if they have done so within the configured number of days. 0 disables this option, requiring users to verify their identity every time they login. The default value is 1.
On the user's computer, this sets a cookie in the web browser to only prompt the user for MFA validation based on the Days to Remember Users setting. If the user clears their cookies or changes web browsers, they will have to re-validate with MFA. - IAM Roles – when selected, enables MFA for the Client Admin, Client User roles or both; both options cannot be blank, one role must be selected
- In the MFA Configuration panel, select the Multi Factor Authentication option to enable MFA. All other options are selected automatically.
- Make any desired changes to the configuration and click Save.
When MFA is enabled at the Organizational level, users with any of the included roles are required to complete the MFA setup process.
The setup process appears the next time the user signs into IAM. The user is prompted to select the identity verification method they would like to use. The option selected determines the contact information that needs to be collected in the next step.
Dayforce Admins, Implementation Admins, and Customer Admin users can exclude specific users from having to use MFA for a defined period. The date through which the user will be excluded from MFA is shown even after the exclusion has expired for historical purposes. Once the exclusion date expires, the user must set up and use MFA. An admin is not required to take any further action to remove the exclusion or enable MFA for the user.
Information about which users are excluded (suspended) can be reviewed in the Reporting module using the Suspended MFA User report.
- Click the menu button, then click the organization name.
- Click Users.
- Search for and select the user you want to exclude.
- In the Exclude from MFA through field, enter the date through which you want to exclude the user from MFA requirements. Alternatively, click the calendar icon to use the calendar to select a date.
The user is excluded from MFA through midnight of the date selected and must begin using MFA the following day.
When searching for users in an organization, you can sort by users who have been excluded from MFA.
- On the Users page, click the drop-down list on the left and select MFA Excluded User to show all users who are currently excluded from MFA using the process described in Exclude Users from Multifactor Authentication Top.
The following process is used to validate the identity of the person attempting to log in to IAM using MFA.
- On the login page, enter the username and password.
- On the Set Up Multifactor Authentication page, select Smartphone App (recommended).
- Click Next.
- In the Primary Phone Number field, select the country code from the drop-down list.
- In the next text box, enter the telephone number with no dashes or spaces.
- In the Exten text box, enter an extension if needed.
- If you want to include a secondary phone number, select the Include Secondary Phone Number option and enter the secondary phone number.
- Click Next.
- To verify the phone number that you entered, a one-time code must be sent to the phone number you entered. Select how you would like to receive that code:
- Text Message – a text message is sent your phone
- Voice Call – a phone call is placed to your phone and an automated voice provides the code
- On the next page, enter the code that you received. If you did not receive the code, click Resend code to resend the code to the same number. Additionally, you can change the method of receiving the code by clicking the link below Resend code.
- Install the Twilio Authy app from the Apple App Store or the Google Play store using the smart phone associated with the phone number you verified.
Note: Do not add an account to Authy. The Account will be added automatically when IAM sends the verification request to Authy.
- Once you have installed the Authy app, click Next.
- In the Authy app on your phone, you will receive a security token. The security token is valid only for 20 seconds before a new key is generated.
- On the Multifactor Authentication page, enter the security token in the text box. You must enter the security token shown in the Authy app and click Next before the token expires.
- Click Continue to complete the setup of MFA.
Users are directed to the IAM Home page or the landing page of the partner application.
-
On the login page, enter the username and password.
-
On the Set Up Multifactor Authentication page, select SMS Text or Voice Call.
-
Click Next.
-
In the Primary Phone Number field, select the country code from the drop-down list.
-
In the next text box, enter the telephone number with no dashes or spaces.
-
In the Exten text box, enter an extension if needed.
-
If you want to include a secondary phone number, select the Include Secondary Phone Number option, and enter the secondary phone number.
-
Click Next.
-
To verify the phone number that you entered, a one-time code must be sent to the phone number you entered. Select how you would like to receive that code:
-
Text Message – a text message is sent your phone
-
Voice Call – a phone call is placed to your phone and an automated voice provides the code
-
-
On the next page, enter the code that you received. If you did not receive the code, click Resend code to resend the code to the same number. Additionally, you can change the method of receiving the code by clicking the link below Resend code. In our example, we chose to receive the code by text message, so the link shown provides the option to Receive a code by voice call instead.
-
Click Next.
-
Click Continue.
This completes the setup of MFA. Users are directed to the IAM Home page or the landing page of the partner application.
-
On the login page, enter the username and password.
-
On the Set Up Multifactor Authentication page, select Email.
-
Click Next.
-
In the Email Address field, type your email address.
-
Click Next.
-
Check your email for the verification code.
-
Enter the verification code on the Verify Email Address screen.
-
Click Continue to complete the setup of MFA.
Users are directed to the IAM Home page or the landing page of the partner application.
For first time users of organizations using multifactor authentication, the following process is used to validate the identity of the person attempting to log in to IAM.
- On the Log In page, click the First Time User link.
- When prompted, enter the User ID received in your Welcome email and then click Submit.
- Click OK on the Email Sent notification message. You will be redirected to the IAM Sign In page.
- Check the email address associated with your IAM user account. You will receive an email message containing a security code. The security code is valid for 15 minutes.
- Click the Create Your Profile link.
- On the Security Code page, enter the security code provided in the email and then click Submit.
- On the Set New Password page, enter and confirm your new password. The default password requirements set by Dayforce are that the password:
- Must be a minimum of 7 characters
- Must contain at least 3 of the following:
- Numbers
- Capital letters
- Lower-case letters
- Special characters including [~`!@#$%^&*()+=|\{}':;.,<>/?[\]""_-]
- Is case-sensitive
- Click Save and Proceed.
- On the Secret Questions page, select a question in each of the question fields. Previously selected questions are not available to be selected again to prevent duplication. On the right side, enter your answer to each question. The answers you enter are masked for security purposes so use caution when entering your responses to avoid typos, misspellings, etc., that could prevent you from responding to the security question prompts at a later time.
- Click Save and Proceed.
- On the Set Up Multifactor Authentication page, select the authentication method you would like to use. In our example we will show you how to set up the Smartphone App (Authy) which, once set up, enables you to verify your identity on your phone with just a tap. Alternatively, you can opt to have a text message, or an automated call sent to your phone with a verification code that must be entered to verify your identity.
- Click Next.
- In the Primary Phone Number field, select the country code from the drop-down list.
- In the next text box, enter the telephone number with no dashes or spaces.
- In the Exten text box, enter an extension if needed.
- If you want to include a secondary phone number, select the Include Secondary Phone Number option and enter the secondary phone number.
- Click Next.
- To verify the phone number that you entered, a one-time code must be sent to the phone number you entered. Select how you would like to receive that code:
- Text Message – a text message is sent your phone
- Voice Call – a phone call is placed to your phone and an automated voice provides the code
- On the next page, enter the code that you received. If you did not receive the code, click Resend code to resend the code to the same number. Additionally, you can change the method of receiving the code by clicking the link below Resend code.
- Install the Twilio Authy app from the Apple App Store or the Google Play store and set up an account using the phone number you verified.
- Once you have installed the Authy app, click Next.
- In the Authy app on your phone, you will receive a security token. The security token is valid only for 20 seconds before a new key is generated.
- On the Multifactor Authentication page, enter the security token in the text box. You must enter the security token shown in the Authy app and click Next before the token expires.
- Click Continue.
This completes the setup of MFA. Users are directed to the IAM Home page or the landing page of the partner application.
The process we show you below supposes that you have completed the first-time user setup, that your password current and not about to expire, or has expired, and that you have completed the setup of MFA. If you have not completed the first-time user setup and setup MFA, or if your password has expired or is about to expire, you will be prompted to take the necessary actions to resolve those issues.
- On the IAM Log In page, enter your username and password and then click Sign in.
- A notification is sent to the Authy app. Alternatively, if you opted to receive text messages or voice calls, a text or phone call is sent to your phone with a code that you will need to enter to proceed.
- If you do not respond to the Authy app notification within 10 seconds IAM displays a message saying, “We didn’t hear from you.” .This is not an expiration and you can continue to approve the code that was sent. Alternatively, you can click the Try Again button to send another code or you can click the Sign in another way button to log in using one of the following methods, the options available vary depending on whether you provided a secondary phone number:
- Mobile app notification – sends another notification to the Authy app
- Mobile app token – a code is displayed in the Authy app which can be entered in IAM to complete the login process
- Text message to primary number – a text message is sent to your primary number containing a code which can be entered in IAM to complete the login process
- Voice call to primary number – an automated voice phone call is sent to your primary phone number; the voice reads a code to be entered into IAM to complete the login process
- Text message to secondary number – a text message is sent to your secondary number containing a code which can be entered in IAM to complete the login process
- Voice call to primary number – an automated voice phone call is sent to your secondary phone number; the voice reads a code to be entered into IAM to complete the login process
Note: If you fail to log in too many times using any of the methods, your account will be locked and must be unlocked by you IAM administrator before continuing.
- If you selected the Mobile app token option, enter the seven-digit token on the Enter token from Authy app page, and then click Login.
- If you selected the text message option for either your primary or secondary phone numbers, enter the code sent to your phone in the Enter verification code field. If you did not receive the code, click the Resend link to have another code sent to your phone.
- If you selected the Voice Call to option for either the primary or secondary phone number, enter the voice code in the field provided on the Enter Voice code page. If you did not receive the call, click the Call me with code again link.
Caution: If you fail to authenticate too many times your account will be locked and your Identity Access Management admin will be required to unlock your account.
- On the Log in page click the Forgot Password link.
- When prompted, enter the User ID received in your Welcome email and then click Submit.
- Click OK on the Email Sent notification message. You will be redirected to the IAM Login page.
- Check the email address associated with your IAM user account. You will receive an email to reset your password. The link provided in the email is valid for 3 minutes.
- Click Reset your password.
- A notification is sent to the Authy app. Alternatively, if you opted to receive text messages or voice calls, a text or phone call is sent to your phone with a code that you will need to enter to proceed.
- If you do not respond to the Authy app notification within 10 seconds IAM displays a message saying, “We didn’t hear from you.” This is not an expiration message and you can continue to validate the code. If you did not receive a code, click the Try Again button to resend the code. Alternatively, you can click the Sign in another way button to log in using one of the following methods, the options available vary depending on whether you provided a secondary phone number:
- Mobile app notification – sends another notification to the Authy app
- Mobile app token – a code is displayed in the Authy app which can be entered in IAM to complete the login process
- Text message to primary number – a text message is sent to your primary number containing a code which can be entered in IAM to complete the login process
- Voice call to primary number – an automated voice phone call is sent to your primary phone number; the voice reads a code to be entered into IAM to complete the login process
- Text message to secondary number – a text message is sent to your secondary number containing a code which can be entered in IAM to complete the login process
- Voice call to primary number – an automated voice phone call is sent to your secondary phone number; the voice reads a code to be entered into IAM to complete the login process
Note: If you fail to log in too many times using any of the methods, your account will be locked and must be unlocked by you IAM administrator before continuing.
- If you selected the Mobile app token option, enter the seven-digit token on the Enter token from Authy app page, and then click Login.
- If you selected the text message option for either your primary or secondary phone numbers, enter the code sent to your phone in the Enter verification code field. If you did not receive the code, click the Resend link to have another code sent to your phone.
- If you selected the Voice Call to option for either the primary or secondary phone number, enter the voice code in the field provided on the Enter Voice code page. If you did not receive the call, click the Call me with code again link.
- On the Answer Secret Questions page, enter the answers to your secret questions. The responses that you enter are masked for security purposes. Use caution to avoid typos, misspellings, etc.
- Click Save and Proceed.
- On the Set New Password page, enter and confirm your new password. The default password requirements set by Dayforce are that the password:
- a. Must be a minimum of 7 characters
- b. Must contain at least 3 of the following:
- Numbers
- Capital letters
- Lower-case letters
- Special characters including [~`!@#$%^&*()+=|\{}':;.,<>/?[\]""_-]
- Is case-sensitive
- Can't be the same as your previous 24 passwords
- Click Save and Proceed.
-
The Password Changed message appears to let you know that the password has been reset successfully. Click OK to return to the Log In page and then enter your username and your new password.
If the user exists in IAM but has not completed the First Time User setup process, the user will be required to complete the First-Time User Process with MFA Top.
- On the Log in page click the Forgot Password link.
- When prompted, enter the User ID received in your Welcome email and then click Submit.
- Click OK on the Email Sent notification message. You will be redirected to the IAM Login page.
- Check the email address associated with your IAM user account. You will receive an email to reset your password. The link provided in the email is valid for 3 minutes.
- Click Reset your password.
- On the Dayforce page, select how you want to log in:
- Text Message
- Voice Call
- If you selected the text message option for either your primary or secondary phone numbers, enter the code sent to your phone in the Enter verification code field. If you did not receive the code, click the Resend link to have another code sent to your phone.
- If you selected the Voice Call to option for either the primary or secondary phone number, enter the voice code in the field provided on the Enter Voice code page. If you did not receive the call, click the Call me with code again link.
- On the Answer Secret Questions page, enter the answers to your secret questions. The responses that you enter are masked for security purposes. Use caution to avoid typos, misspellings, etc.
- Click Save and Proceed.
- On the Set New Password page, enter and confirm your new password. The default password requirements set by Dayforce are that the password:
- a. Must be a minimum of 7 characters
- b. Must contain at least 3 of the following:
- Numbers
- Capital letters
- Lower-case letters
- Special characters including [~`!@#$%^&*()+=|\{}':;.,<>/?[\]""_-]
- Is case-sensitive
- Can't be the same as your previous 24 passwords
- Click Save and Proceed.
-
The Password Changed message appears to let you know that the password has been reset successfully. Click OK to return to the Log In page and then enter your username and your new password.
If the user exists in IAM but has not completed the First Time User setup process, the user will be required to complete the First-Time User Process with MFA Top.
- On the Log in page click the Forgot Password link.
- When prompted, enter the User ID received in your Welcome email and then click Submit.
- Click OK on the Email Sent notification message. You will be redirected to the IAM Login page.
- Check the email address associated with your IAM user account. You will receive an email to reset your password. The link provided in the email is valid for 3 minutes.
- Click Reset your password.
An MFA page is displayed asking "How would you like to log in?" - Click your email address.
An email is sent to your email address with a security code. - On the MFA page, enter the security code you received in your email.
- Click Login.
- On the Answer Secret Questions page, enter the answers to your secret questions.
- Click Save and Proceed.
- On the Set New Password page, enter and confirm your new password. The default password requirements set by Dayforce are that the password:
- a. Must be a minimum of 7 characters
- b. Must contain at least 3 of the following:
- Numbers
- Capital letters
- Lower-case letters
- Special characters including [~`!@#$%^&*()+=|\{}':;.,<>/?[\]""_-]
- Is case-sensitive
- Can't be the same as your previous 24 passwords
- Click Save and Proceed.
-
The Password Changed message appears to let you know that the password has been reset successfully. Click OK to return to the Log In page and then enter your username and your new password.
If the user exists in IAM but has not completed the First Time User setup process, the user will be required to complete the First-Time User Process with MFA Top.
You can update your MFA settings in IAM using the Multifactor Authentication tab on the My Profile page.
To access your MFA settings:
- Click the menu button, and then click My Profile.
- Click the Multifactor Authentication tab.
- Click Update MFA to launch the multifactor authentication setup process that we described in First-Time User Process with MFA Top.
A Customer IAM Admin user or Implementation Admin user can require a user to go through the first-time user setup by selecting either Send Welcome Email or Send Security Code options on the Users page. For MFA enabled organizations this will cause the user to enter their MFA settings again, thereby resetting them.
With the MFA settings reset, the user must go through the first time user process outlined in First-Time User Process with MFA Top.
If you want to reset only specific information
Dayforce Admins, Implementation Admins, and Customer Admin users can reset a user's MFA settings. The following settings can be reset:
- Primary Phone
- Secondary Phone
- Authy
- Email Address
- All MFA Registration
The following steps describe how to reset one or more of a user’s MFA settings.
- Click the menu button, and then click the organization name.
- Click Reset MFA.
- Search for MFA users who have completed the MFA First Time User setup.
- In the drop-down fields, select either = or contains to indicate whether the data is equal to or only contains the data you enter. You can enter data in one or more of the following fields:
- First Name
- Middle Name
- Last Name
- Email Address
- Country Code
- Phone Number
- Extension
- In the text field to the right of the drop-down fields, enter the search criteria.
- In the Authy Mobile App drop-down field, you can select all users or users who either are registered to use the Authy app or users who are not registered to use the Authy app. Choose from:
- All
- Not Registered
- Registered
- In the drop-down fields, select either = or contains to indicate whether the data is equal to or only contains the data you enter. You can enter data in one or more of the following fields:
- Click Apply Filter to perform the search. Results are shown below the search criteria. Alternatively, you can click Clear Filter to clear all the criteria you entered and start over.
- Select the check box next to the users that you want to reset. If you have multiple users that match the search criteria and you want to select them all, select the check box on the header bar.
- To reset MFA settings for the selected users, click Reset MFA at the top of the page and select which setting you want to reset. Choose from:
- Reset Primary Phone Number
- Reset Secondary Phone Number
- Reset Authy
- Reset Email Address
- Reset All MFA Registration
- Click OK on the verification pop-up.