Two-factor authentication (2FA) provides an additional layer of security and makes it harder for attackers to gain access to your account. 2FA, if enabled, will only be enforced to full access users, however, this does not prevent any other user type from enabling 2FA on their account.
2FA can be enforced at a business level and/or a white label level.
- If enforced at a white label level, all businesses under that white label must follow 2FA protocol. Additionally, the only user type that can override the 2FA requirement at a business level would be a white label manager or a reseller.
- If enforced at a business level by a full access user, only a full access user of that business will be able to then override the 2FA requirement.
Enforcing 2FA at a white label level
This section is only relevant to users that are white label managers or resellers.
A white label manager or reseller can enforce 2FA for a white label by following these instructions:
- Access the relevant white label's settings by clicking on your username (top right hand side) and then the white label setting option:
- Click on the "Security" menu option (left hand side);
- Click on the "Manage Two-Factor Authentication" tab;
- Click on the "Require two-factor authentication for full access users" checkbox.
At a business level, the message then displayed in the "Manage Two-Factor Authentication" screen will be as follows:
To clarify, the "Click here.." link is only available to white label managers or resellers. Full access users will not have this option - their display is different, as detailed in the "2FA enforced by White Label Manager" section below.
Enforcing 2FA at a business level
Instructions on how to manage 2FA at a business level will depend on whether 2FA has been enforced at a white label level or not. Details on both are below.
You can access the business' 2FA settings by navigating to Payroll Settings > Manage Users > Manage Two-Factor Authentication (tab).
2FA enforced by White Label Manager
Full access users will know that 2FA has been enforced at a white label level when the following message is displayed:
This means that all full access users will be required to authenticate their settings and enable 2FA prior to being able to log in and access business data.
Additionally, full access users will need to get in contact with their white label representative to discuss disabling the 2FA requirement.
2FA not enforced by White Label Manager
By default, this setting will be unticked:
If you want to activate this option, tick the checkbox.
Enabling 2FA for a User
If 2FA is enabled, full access users will need to verify their settings. Detailed instructions on verifying an email address, mobile phone or Google Authenticator can be found here.
2FA frequently asked questions
Do I need to enable all options (email / mobile / google authenticator)
No, however, you need to enable at least two 2FA options, and of these options, email is mandatory.
I've confirmed my email/mobile but I still cannot access my business.
Please be sure to click the 'Enable' button in the bottom right to ensure that 2FA is switched on for your account:
Is 2FA mandatory for ALL users in the system?
Currently, it is only mandatory for full access/reporting users. Businesses may opt to require 2FA for managers/employees as well. This can be configured in the "Two Factor Authentication" tab under the "Manage Users" section in "Payroll Settings". Otherwise, 2FA is still an option for employees/managers that wish to do so.
What are the benefits of Google Authenticator
The main benefit is for users that may travel internationally and change SIM cards when they travel, or for users that have poor mobile network coverage and don't receive SMS messages. Google authenticator generates the confirmation code directly from the app and doesn't require waiting for an SMS or email.
Please note also that there are alternative apps to Google Authenticator such as Authy that are also compatible with the system.
How can I see who has switched on 2FA?
Depending on the type of user, you can view the status as follows:
Users with business level access:
The 'Manage Users' page under "Payroll Settings" will show a [2FA] badge next to each user that has 2FA enabled. This information will also be shown in the Excel export.
White label access users:
Within the white label settings > security page (users that have individual business access to businesses within the white label)
Also, the white label settings > user access page (users with access to the white label)
Reseller access users:
Within the reseller settings > users page.
Once the employee logs into the employee portal, they can click the 'my account' link in the top right hand corner and then navigate to the Two-Factor Authentication page.
How often am I required to enter my 2FA code when I log in?
When the user enters their 2FA verification code, there is an option to 'Don't ask me again for 30 days'. If this is ticked, the user will not be required to enter a 2FA code for 30 days. Otherwise, the user will be required to enter the code each time they log in.
Help! I am being asked to enter my 2FA code more frequently than every 30 days
We use a cookie on your machine to store the fact it's a trusted device and has passed 2FA. However if you clear your cookies (or more generally your browsing history) for any reason, you can expect to be asked to complete 2FA again at next login. That's one explanation for it occurring.
Another scenario is where one of these cookies ends up invalid/stuck, and in that situation if you keep getting asked, it can help to clear your cookies/browser data (just use the browser function to clear all browsing history) - you'll then have to complete 2FA again once more.
If clearing your cookies does not work, and assuming you're using Chrome, you can follow these steps:
- Click on the little padlock next to the URL - a menu like shown should appear:
- If you then click on Cookies, you'll see a list of Allowed Cookies.
Scroll down until you can see both yourpayroll.io and the URL from the branded domain. In the below example, you'll see yourpayroll.io and emssg.yourpayroll.io:
- If you expand the branded domain (e.g. emssg.yourpayroll.io) and then 'cookies' you'll see something like this:
- You want to remove the cookie called ".AspNet.TwoFactorRememberBrowser" (click on it then click the Remove button below).
If you have any questions or feedback, contact us via firstname.lastname@example.org.