Two-factor authentication (2FA) provides an additional layer of security and makes it harder for attackers to gain access to your account. It is designed to ensure that you are the only person who can access your account, even if someone else knows your password.
2FA settings for each business are configured via Payroll Settings > Manage Users > Manage Two-Factor Authentication (tab).
NB. Important dates relating to 2FA requirements:
13 May 2021: Mandatory for new users requiring 2FA, to have 2 methods of authentication configured, with email being one of those mandatory methods.
8 March 2022: Same rules as above, but for existing users. Any existing user that has 2FA enabled but only 1 method of authentication configured will be required to set up the second method of authentication, with email being mandatory.
2FA is mandatory for the following users when logging into the payroll platform:
- Full access users;
- Restricted users with access to one or more reports; and
- Restricted users with report packs permission (this is different to a report pack recipient and explained further below).
As a result, the above users are required to enable 2FA and verify their details by following these instructions. Users will be unable to log into the payroll platform until 2FA has been enabled.
These mandatory 2FA requirements cannot be removed at a business or brand level. If you access the payroll platform from within an external third party platform, for eg HR platforms, etc, you will not be required to verify your details via 2FA to access the payroll functionality. Rather, you should utilise the 2FA security functions that are provided in those systems instead. If however, you log into the payroll platform directly using the URL “xxx.nzpayroll.co.nz”, you will be required to follow the 2FA process and verify your details.
Report pack recipients
When setting up a report pack, users must also include the email address of the person(s) who will be in receipt of the report pack, i.e. the recipient. Users can require that recipient(s) must login to the payroll platform in order to download the report pack. If this setting is ticked, the recipients will be given restricted access with report pack permissions. These recipients will then be required to set up 2FA. If the setting is not ticked, the recipients are not given access to the platform whatsoever and are merely sent a link that will enable them to download the report packs. As such, these recipients will not be required to set up 2FA.
Optional 2FA for other users
An additional (optional) setting is available that, when selected, requires the following user types to also enable 2FA:
- employees (when accessing the employee portal); and
- all other restricted users that have location or employee group access to permissions such as rostering, timesheets, leave, expenses, etc.
This optional 2FA setting can be enforced at either a business level or a brand level.
- If enforced at a brand level, all businesses under that brand must follow 2FA protocol. There is no ability to revoke this requirement at the business level.
- If enforced at a business level by a full access user, only a full access user of that business will be able to then override the 2FA requirement.
To clarify, if this optional setting is enabled, it will not affect employees or managers logging into WorkZone or Clock Me In. This means that users will not be required to undergo the 2FA process when accessing these apps.
2FA enforced at a brand level
This section is only relevant to users that are brand managers or partners. A brand manager or partner can enforce 2FA for a brand by following these instructions:
- Access the relevant brand's settings via the Partner Dashboard > click the 'brand' icon on the left side panel to access the Brand Management page;
- Click on the relevant brand name;
- Click on the "Security" menu option (left hand side);
- Click on the "Manage Two-Factor Authentication" tab;
- Click on the "Require two-factor authentication for managers / employees" checkbox.
- Click on 'Save'.
Users will know that 2FA has been enforced for their business at a brand level when the following message is displayed:
2FA enforced at a business level
You can access the business' 2FA settings by navigating to Payroll Settings > Manage Users > Manage Two-Factor Authentication (tab). If the setting has not already been activated at the brand level, the setting will be displayed as follows:
Click on the checkbox and then click on ‘Save’. You can always choose to switch off this additional 2FA requirement by unticking the checkbox and clicking on ‘Save’.
Enabling 2FA for a User
If 2FA is enabled, full access users will need to verify their settings. Detailed instructions on verifying an email address, mobile phone or Google Authenticator can be found here.
2FA frequently asked questions
Do I need to enable all options (email / mobile / google authenticator)
No, however, you need to enable at least two 2FA options, and of these options, email is mandatory.
I've confirmed my email/mobile but I still cannot access my business.
Please be sure to click the 'Enable' button in the bottom right to ensure that 2FA is switched on for your account:
Is 2FA mandatory for ALL users in the system?
Currently, it is only mandatory for full access/reporting users but this will change as of Friday 30 April. Businesses may opt to require 2FA for managers/employees as well. This can be configured in the "Two Factor Authentication" tab under the "Manage Users" section in "Payroll Settings". Otherwise, 2FA is still an option for employees/managers that wish to do so.
What are the benefits of Google Authenticator
The main benefit is for users that may travel internationally and change SIM cards when they travel, or for users that have poor mobile network coverage and don't receive SMS messages. Google authenticator generates the confirmation code directly from the app and doesn't require waiting for an SMS or email.
Please note also that there are alternative apps to Google Authenticator such as Authy that are also compatible with the system.
How can I see who has switched on 2FA?
Depending on the type of user, you can view the status as follows:
Users with business level access:
The 'Manage Users' page under "Payroll Settings" will show a [2FA] badge next to each user that has 2FA enabled. This information will also be shown in the Excel export.
Brand access users:
Within the brand settings > security page (users that have individual business access to businesses within the brand)
Also, the brand settings > user access page (users with access to the brand)
Partner access users:
Within the partner settings > users page.
Once the employee logs into the employee portal, they can click the 'my account' link in the top right hand corner and then navigate to the Two-Factor Authentication page.
How often am I required to enter my 2FA code when I log in?
When the user enters their 2FA verification code, there is an option to 'Don't ask me again for 30 days'. If this is ticked, the user will not be required to enter a 2FA code for 30 days. Otherwise, the user will be required to enter the code each time they log in.
Help! I am being asked to enter my 2FA code more frequently than every 30 days
We use a cookie on your machine to store the fact it's a trusted device and has passed 2FA. However if you clear your cookies (or more generally your browsing history) for any reason, you can expect to be asked to complete 2FA again at next login. That's one explanation for it occurring.
Another scenario is where one of these cookies ends up invalid/stuck, and in that situation if you keep getting asked, it can help to clear your cookies/browser data (just use the browser function to clear all browsing history) - you'll then have to complete 2FA again once more.
If clearing your cookies does not work, and assuming you're using Chrome, you can follow these steps:
- Click on the little padlock next to the URL - a menu like shown should appear:
- If you then click on Cookies, you'll see a list of Allowed Cookies.
Scroll down until you can see both nzpayroll.co.nz and the URL from the branded domain. In the below example, you'll see nzpayroll.co.nz and emsnz.nzpayroll.co.nz:
- If you expand the branded domain (e.g. emsnz.nzpayroll.co.nz) and then 'cookies' you'll see something like this:
- You want to remove the cookie called ".AspNet.TwoFactorRememberBrowser" (click on it then click the Remove button below).
If you have any questions or feedback, contact us via email@example.com