Multi-Factor Authentication and Passwords (2024)

Table of Contents
Manage MFA for user accounts One-time passcode (OTP) Log in

Multi-factor authentication (MFA)

Multi-Factor Authentication (MFA) improves account security in that any login to a user account requires a one-time passcode in addition to the username and password. The one-time passcode (OTP) is required once every seven days for each device, and can be received by email, SMS message, or an app-based token. MFA is strongly recommended for all user accounts, and is required for manager and administrator roles.

Caution: MFA is required for manager-role user accounts. You cannot turn off MFA for these accounts.

Note: MFA applies only to Basic and not to Federated Authentication. MFA is required for Basic Authentication, and this topic describes how to set up and use MFA only for Basic Authentication. For Federated Authentication, single-sign on (SSO), or authentication by way of other applications, refer to the Authentication topic or the documentation for those other applications.

Manage MFA for user accounts

By default, MFA is turned on for all user accounts. You can turn off MFA only for employee user accounts, however it is strongly recommended that these accounts use MFA.

Caution: MFA is required for manager-role user accounts. You cannot turn off MFA for these accounts.

Note: MFA is required for Seed user accounts but not for API-only user accounts.

  1. Before you install Release 9 Update 4, set the MFA feature switch as follows:

    Note: After Release 9 Update 4, the MFA feature switch will not be available.

    1. Click Tap Main Menu >Administration > Application Setup > System Configuration>Feature Switch.
    2. Select Multi-factor Authentication (MFA) Roll Out and click tap Edit.
    3. Select one of the following:
      • To enable MFA for all user accounts, select Yes.
      • To enable MFA only for manager-role user accounts, select No.
    4. Click Tap Save.
  2. The administrator must have the MFA required access control point (ACP) turned on as follows:

    Note: For details, see the Manager - Common Setup ACPs topic.

    See Also
    Workforce Dimensions 101: Everything to Know

    1. Click Tap Main Menu >Administration > Application Setup > Access Profiles>Function Access Profiles.
    2. Select the profile and click tap Edit.
    3. Select ManagerCommon Setup.
    4. In People Editor > Access user account > MFA required — In Access Scope, select Allowed to allow a manager or administrator to override multi-factor authentication (MFA) in People Information for an employee.
    5. Click Tap Save.
  3. Turn off MFA for an employee as follows:
    1. Click Tap Main Menu >Maintenance > People Information.
    2. Select the employee.
    3. In Information > Employee Status, clear MFA Required.
    4. Click Tap Save .
  4. Turn on MFA for an employee as follows:
    1. Click Tap Main Menu >Maintenance > People Information.
    2. Select the employee.
    3. In Information > Employee Status, select MFA Required.
    4. Click Tap Save .

Alternatively, you can turn off or turn on MFA for employees by either of the following methods:

  • Use the Person Update or Update Multiple Persons API with MFA Required set to False or True.
  • Use the Data Import Tool as described in the Use the Data Import Tool topic.

One-time passcode (OTP)

The one-time passcode (OTP) is a string of numbers that is derived from a secret seed password that registers a device. This passcode is valid for a short period of time. The two factors — passcode and time limit — ensure that the OTP is always changing and always secret, except to the service that registers the device.

The OTP is sent as follows:

  • By email (default) if the email address of the user account is in People Information.
  • By SMS message if the phone number of the account is in People Information, and your organization has the contract and part number for the SMS application.
  • By app-based token, if the mobile device is registered as follows:

    Turn on OTP by token

    1. Install an authenticator on your device as follows:
      • Navigate to the Apple App Store or the Google Play Store.
      • Search for, download, and install an authenticator app. The recommended authenticators are ForgeRock Authenticator and Google Authenticator.
    2. When you log in, do the following:
      • You must select Token as the method when you first use MFA.
      • Scan the QR code according to the documentation for the authenticator and click tap Next.
      • Enter the verification code that the app displays and click tap Submit.
    3. If the device is not available when you log in:
      • Click Tap Use recovery code.
      • Record and store the recovery codes or take a screenshot of this screen for backup authentication if the device is missing, damaged, or lost.
      • Click Tap Log In.

Account lockout and OTP

(Only if MFA is enabled) If an account is locked because of too many failed attempts to log in with an OTP, do the following:

  1. Select the employee in the Timecard or schedule. Select Maintenance > People Information > Employee.
  2. In Account Locked select Enabled to manually lock the account.
  3. Save the changes.
  4. Select the employee again.
  5. In Account Locked, select Disabled to manually unlock the account.
  6. Save the changes.

Log in

When you log in to UKG Pro Workforce Management™:

  1. Enter your User Name and Password, and click tap Log In.
  2. Select one of the configured methods to receive the one-time passcode (OTP) — Email, SMS message, or app-based soft Token — and click tap Log In. Wait to receive the passcode.
  3. Enter the One Time Passcode and click tap Log In.

Password policy

Caution: If a user account is used for system-to-system API calls — such as for integrations — password expiration can block API calls and prevent integrations from running. To avoid this, convert the user account to API Only User in People Information; see the Employee topic. Your FAP must have API-only user set to Allowed; see the Manager - Common Setup ACPs topic. Once the account is API-Only, it supports only API calls; you cannot use it to log in from a browser or mobile app.

Note: People Import integrations continue to run in the R9 U4 EU5 release and import user accounts with the existing passwords, even if the passwords are shorter than 15 characters. However, the users are prompted to change their passwords to more secure, complex passwords when they log in for the first time.

Note: You can make limited adjustments to the password policy. To change the password, account lockout, and other log-on settings, see the Logon Profiles topic.

  1. Click Tap Main Menu>Administration > Application Setup > Access Profiles>Logon Profiles.
  2. Select a profile and click tap Edit.
  3. Select the Password tab and edit the following:
    • Expiration Frequency — The number of days after which users must change their passwords.
      • You cannot disable password expiration.
      • Default and maximum = 180 days. You can enter fewer days.
    • Reuse Monitoring — The number of previous passwords that cannot be reused.
      • You cannot disable reuse monitoring.
      • Default = 24 previous passwords.
    • Account is locked out for inactivity — The number of days of inactivity before the system locks the account.
      • You cannot disable inactivity lock outs.
      • Inactive existing user accounts: Default and maximum = 180 days. You can enter fewer days.
      • First-time login: Default and maximum = 30 days. You can enter fewer days.

        Note: To avoid locking accounts during setup, edit the User Account Status to the effective, active date of the accounts.

    • (Not editable) The password must not contain any of the following — User names, spaces, and words from the forbidden password list cannot be included in passwords.

      Example forbidden passwords: MyUsername, password password, MyStrongPassword.

    • (Not editable) The password must contain all of the following — Shows that a mix of upper-case letters, lower-case letters, non-alphanumeric characters, and numbers must be included in passwords.

      Example acceptable password: AYWzwmQX$Y4M3Dy (but don't use this example).

    • The password is limited by the following — Length and character restrictions.
      • Minimum length: The shortest acceptable password length.

        Minimum = 15 characters.

        Maximum = 64 characters.

      • Maximum consecutive identical characters: The maximum number of identical characters in a row that passwords can contain.

        Default and maximum = 4 identical characters.

        Minimum = 2 identical characters.

        Example forbidden passwords include the following: aaaa, nnnn, xxxx, 0000, 6666, 9999.

      • Maximum sequential letters or numbers: The maximum number of sequential letters or numbers that passwords can contain.

        Default and maximum = 3 sequential characters.

        Minimum = 2 sequential characters.

        Example forbidden passwords include the following: abc, def, xyz, 123, 456, 789.

  4. Select Session Restrictions and edit the following:

    • Enabled locks the user account after the specified number of failed attempts to log on. You cannot turn off account locking.

      In Number of failed logon or password change attempts before lockout, enter the number of attempts to allow. Default = 5 attempts.

      In Lockout duration, select Forever to lock the account perpetually, or enter the length of time to lock the account before the account is unlocked automatically. Use HH:mm format. Default = 0:30.

      Caution:

      If an account is locked, do one of the following to unlock it:

      • Reset the password to unlock the account.
      • Wait for the Lockout duration to expire if it is not set to Forever.
  5. Click Tap Save.
  6. Associate logon profiles to people.
Multi-Factor Authentication and Passwords (2024)
Top Articles
Overnight Blueberry French Toast Casserole
Simply Potatoes Chorizo Breakfast Bowl
HIPAA Compliant Video and Telemedicine Software
Le chemin vers la maîtrise : le Jiu-Jitsu brésilien et ses bienfaits
Top 6 Sites to Watch Hindi Movies Online for Free - MiniTool MovieMaker
8 Best Sites To Watch Hindi Dubbed Movies — Stream In HD Quality
baltimore houses for rent - craigslist
Taste Of Victory Stables: Racehorse Ownership Without Breaking The Bank
Poe Projectile Tattoo
OptiPlex 7000-Tower-Desktop-PC und Small-Form-Factor-PC: OptiPlex-Computer | Dell Deutschland
2013 CHEVROLET SILVERADO for sale - Saint Peters, MO - craigslist
STEEL BEAMS | Multiple Types | Building Materials - materials - by dealer - sale - craigslist
Latest Posts
5 Snacks For Kids That Start With The Letter K
Peanut Butter + Jelly Protein Pancakes (Paleo, Low Carb)
Article information

Author: Carmelo Roob

Last Updated:

Views: 6315

Rating: 4.4 / 5 (65 voted)

Reviews: 80% of readers found this page helpful

Author information

Name: Carmelo Roob

Birthday: 1995-01-09

Address: Apt. 915 481 Sipes Cliff, New Gonzalobury, CO 80176

Phone: +6773780339780

Job: Sales Executive

Hobby: Gaming, Jogging, Rugby, Video gaming, Handball, Ice skating, Web surfing

Introduction: My name is Carmelo Roob, I am a modern, handsome, delightful, comfortable, attractive, vast, good person who loves writing and wants to share my knowledge and understanding with you.