About Multifactor Authentication (2024)

• MFA features are integrated directly into the IAM platform with no need to establish a relationship or contract with a third party
• Deployment by client administration and registration by end-users is fast and simple
• MFA is applied to IAM native authentication (IAM-specific credentials) users in the web application based on their current role(s), including support for Pre-Start new hire and Terminate roles
• During the authentication process, users can verify their identities using the following options:
  • Using the Authy mobile app
  • Text message or Voice call
  • Email

When MFA is enabled at the Organizational level, users with any of the included roles are required to complete the MFA setup process.

The setup process appears the next time the user signs into IAM. The user is prompted to select the identity verification method they would like to use. The option selected determines the contact information that needs to be collected in the next step.

Dayforce Admins, Implementation Admins, and Customer Admin users can exclude specific users from having to use MFA for a defined period. The date through which the user will be excluded from MFA is shown even after the exclusion has expired for historical purposes. Once the exclusion date expires, the user must set up and use MFA. An admin is not required to take any further action to remove the exclusion or enable MFA for the user.

Information about which users are excluded (suspended) can be reviewed in the Reporting module using the Suspended MFA User report.

1. Click the menu button, then click the organization name.
2. Click Users.
3. Search for and select the user you want to exclude.
4. In the Exclude from MFA through field, enter the date through which you want to exclude the user from MFA requirements. Alternatively, click the calendar icon to use the calendar to select a date.
   The user is excluded from MFA through midnight of the date selected and must begin using MFA the following day.

When searching for users in an organization, you can sort by users who have been excluded from MFA.

• On the Users page, click the drop-down list on the left and select MFA Excluded User to show all users who are currently excluded from MFA using the process described in Exclude Users from Multifactor Authentication Top.

The following process is used to validate the identity of the person attempting to log in to IAM using MFA.

1. On the login page, enter the username and password.
2. On the Set Up Multifactor Authentication page, select Smartphone App (recommended).
3. Click Next.
4. In the Primary Phone Number field, select the country code from the drop-down list.
5. In the next text box, enter the telephone number with no dashes or spaces.
6. In the Exten text box, enter an extension if needed.
7. If you want to include a secondary phone number, select the Include Secondary Phone Number option and enter the secondary phone number.
8. Click Next.
9. To verify the phone number that you entered, a one-time code must be sent to the phone number you entered. Select how you would like to receive that code:
   1. Text Message – a text message is sent your phone
   2. Voice Call – a phone call is placed to your phone and an automated voice provides the code
10. On the next page, enter the code that you received. If you did not receive the code, click Resend code to resend the code to the same number. Additionally, you can change the method of receiving the code by clicking the link below Resend code.
11. Install the Twilio Authy app from the Apple App Store or the Google Play store using the smart phone associated with the phone number you verified.

Note: Do not add an account to Authy. The Account will be added automatically when IAM sends the verification request to Authy.

12. Once you have installed the Authy app, click Next.
    1. In the Authy app on your phone, you will receive a security token. The security token is valid only for 20 seconds before a new key is generated.
13. On the Multifactor Authentication page, enter the security token in the text box. You must enter the security token shown in the Authy app and click Next before the token expires.
14. Click Continue to complete the setup of MFA.

Users are directed to the IAM Home page or the landing page of the partner application.

1. On the login page, enter the username and password.
2. On the Set Up Multifactor Authentication page, select SMS Text or Voice Call.
3. Click Next.

4. In the Primary Phone Number field, select the country code from the drop-down list.
5. In the next text box, enter the telephone number with no dashes or spaces.
6. In the Exten text box, enter an extension if needed.
7. If you want to include a secondary phone number, select the Include Secondary Phone Number option, and enter the secondary phone number.
8. Click Next.

9. To verify the phone number that you entered, a one-time code must be sent to the phone number you entered. Select how you would like to receive that code:
   1. Text Message – a text message is sent your phone
   2. Voice Call – a phone call is placed to your phone and an automated voice provides the code

10. On the next page, enter the code that you received. If you did not receive the code, click Resend code to resend the code to the same number. Additionally, you can change the method of receiving the code by clicking the link below Resend code. In our example, we chose to receive the code by text message, so the link shown provides the option to Receive a code by voice call instead.

11. Click Next.

12. Click Continue.

This completes the setup of MFA. Users are directed to the IAM Home page or the landing page of the partner application.

1. On the login page, enter the username and password.
2. On the Set Up Multifactor Authentication page, select Email.

3. Click Next.
4. In the Email Address field, type your email address.

5. Click Next.
6. Check your email for the verification code.
7. Enter the verification code on the Verify Email Address screen.

8. Click Continue to complete the setup of MFA.

Users are directed to the IAM Home page or the landing page of the partner application.

For first time users of organizations using multifactor authentication, the following process is used to validate the identity of the person attempting to log in to IAM.

1. On the Log In page, click the First Time User link.
2. When prompted, enter the User ID received in your Welcome email and then click Submit.
3. Click OK on the Email Sent notification message. You will be redirected to the IAM SignIn page.
4. Check the email address associated with your IAM user account. You will receive an email message containing a security code. The security code is valid for 15 minutes.
5. Click the Create Your Profile link.
6. On the Security Code page, enter the security code provided in the email and then click Submit.
7. On the Set New Password page, enter and confirm your new password. The default password requirements set by Dayforce are that the password:
   1. Must be a minimum of 7 characters
   2. Must contain at least 3 of the following:
      1. Numbers
      2. Capital letters
      3. Lower-case letters
      4. Special characters including [~`!@#$%^&*()+=|\{}':;.,<>/?[\]""_-]
   3. Is case-sensitive
8. Click Save and Proceed.
9. On the Secret Questions page, select a question in each of the question fields. Previously selected questions are not available to be selected again to prevent duplication. On the right side, enter your answer to each question. The answers you enter are masked for security purposes so use caution when entering your responses to avoid typos, misspellings, etc., that could prevent you from responding to the security question prompts at a later time.
10. Click Save and Proceed.
    
11. On the Set Up Multifactor Authentication page, select the authentication method you would like to use. In our example we will show you how to set up the Smartphone App (Authy) which, once set up, enables you to verify your identity on your phone with just a tap. Alternatively, you can opt to have a text message, or an automated call sent to your phone with a verification code that must be entered to verify your identity.
12. Click Next.
13. In the Primary Phone Number field, select the country code from the drop-down list.
14. In the next text box, enter the telephone number with no dashes or spaces.
15. In the Exten text box, enter an extension if needed.
16. If you want to include a secondary phone number, select the Include Secondary Phone Number option and enter the secondary phone number.
17. Click Next.
18. To verify the phone number that you entered, a one-time code must be sent to the phone number you entered. Select how you would like to receive that code:
    1. Text Message – a text message is sent your phone
    2. Voice Call – a phone call is placed to your phone and an automated voice provides the code
19. On the next page, enter the code that you received. If you did not receive the code, click Resend code to resend the code to the same number. Additionally, you can change the method of receiving the code by clicking the link below Resend code.
20. Install the Twilio Authy app from the Apple App Store or the Google Play store and set up an account using the phone number you verified.
21. Once you have installed the Authy app, click Next.
    1. In the Authy app on your phone, you will receive a security token. The security token is valid only for 20 seconds before a new key is generated.
22. On the Multifactor Authentication page, enter the security token in the text box. You must enter the security token shown in the Authy app and click Next before the token expires.
23. Click Continue.

This completes the setup of MFA. Users are directed to the IAM Home page or the landing page of the partner application.

The process we show you below supposes that you have completed the first-time user setup, that your password current and not about to expire, or has expired, and that you have completed the setup of MFA. If you have not completed the first-time user setup and setup MFA, or if your password has expired or is about to expire, you will be prompted to take the necessary actions to resolve those issues.

1. On the IAM Log In page, enter your username and password and then click Sign in.
2. A notification is sent to the Authy app. Alternatively, if you opted to receive text messages or voice calls, a text or phone call is sent to your phone with a code that you will need to enter to proceed.
3. If you do not respond to the Authy app notification within 10 seconds IAM displays a message saying, “We didn’t hear from you.” .This is not an expiration and you can continue to approve the code that was sent. Alternatively, you can click the Try Again button to send another code or you can click the Sign in another way button to log in using one of the following methods, the options available vary depending on whether you provided a secondary phone number:
   1. Mobile app notification – sends another notification to the Authy app
   2. Mobile app token – a code is displayed in the Authy app which can be entered in IAM to complete the login process
   3. Text message to primary number – a text message is sent to your primary number containing a code which can be entered in IAM to complete the login process
   4. Voice call to primary number – an automated voice phone call is sent to your primary phone number; the voice reads a code to be entered into IAM to complete the login process
   5. Text message to secondary number – a text message is sent to your secondary number containing a code which can be entered in IAM to complete the login process
   6. Voice call to primary number – an automated voice phone call is sent to your secondary phone number; the voice reads a code to be entered into IAM to complete the login process
      Note: If you fail to log in too many times using any of the methods, your account will be locked and must be unlocked by you IAM administrator before continuing.
4. If you selected the Mobile app token option, enter the seven-digit token on the Enter token from Authy app page, and then click Login.
5. If you selected the text message option for either your primary or secondary phone numbers, enter the code sent to your phone in the Enter verification code field. If you did not receive the code, click the Resend link to have another code sent to your phone.
6. If you selected the Voice Call to option for either the primary or secondary phone number, enter the voice code in the field provided on the Enter Voice code page. If you did not receive the call, click the Call me with code again link.

Caution: If you fail to authenticate too many times your account will be locked and your Identity Access Management admin will be required to unlock your account.

1. On the Log in page click the Forgot Password link.
2. When prompted, enter the User ID received in your Welcome email and then click Submit.
3. Click OK on the Email Sent notification message. You will be redirected to the IAM Login page.
4. Check the email address associated with your IAM user account. You will receive an email to reset your password. The link provided in the email is valid for 3 minutes.
5. Click Reset your password.
6. A notification is sent to the Authy app. Alternatively, if you opted to receive text messages or voice calls, a text or phone call is sent to your phone with a code that you will need to enter to proceed.
7. If you do not respond to the Authy app notification within 10 seconds IAM displays a message saying, “We didn’t hear from you.” This is not an expiration message and you can continue to validate the code. If you did not receive a code, click the Try Again button to resend the code. Alternatively, you can click the Sign in another way button to log in using one of the following methods, the options available vary depending on whether you provided a secondary phone number:
   1. Mobile app notification – sends another notification to the Authy app
   2. Mobile app token – a code is displayed in the Authy app which can be entered in IAM to complete the login process
   3. Text message to primary number – a text message is sent to your primary number containing a code which can be entered in IAM to complete the login process
   4. Voice call to primary number – an automated voice phone call is sent to your primary phone number; the voice reads a code to be entered into IAM to complete the login process
   5. Text message to secondary number – a text message is sent to your secondary number containing a code which can be entered in IAM to complete the login process
   6. Voice call to primary number – an automated voice phone call is sent to your secondary phone number; the voice reads a code to be entered into IAM to complete the login process
      Note: If you fail to log in too many times using any of the methods, your account will be locked and must be unlocked by you IAM administrator before continuing.
8. If you selected the Mobile app token option, enter the seven-digit token on the Enter token from Authy app page, and then click Login.
9. If you selected the text message option for either your primary or secondary phone numbers, enter the code sent to your phone in the Enter verification code field. If you did not receive the code, click the Resend link to have another code sent to your phone.
10. If you selected the Voice Call to option for either the primary or secondary phone number, enter the voice code in the field provided on the Enter Voice code page. If you did not receive the call, click the Call me with code again link.
11. On the Answer Secret Questions page, enter the answers to your secret questions. The responses that you enter are masked for security purposes. Use caution to avoid typos, misspellings, etc.
12. Click Save and Proceed.
13. On the Set New Password page, enter and confirm your new password. The default password requirements set by Dayforce are that the password:
    1. a.Must be a minimum of 7 characters
    2. b.Must contain at least 3 of the following:
       1. Numbers
       2. Capital letters
       3. Lower-case letters
       4. Special characters including [~`!@#$%^&*()+=|\{}':;.,<>/?[\]""_-]
    3. Is case-sensitive
    4. Can't be the same as your previous 24 passwords
14. Click Save and Proceed.
15. The Password Changed message appears to let you know that the password has been reset successfully. Click OK to return to the Log In page and then enter your username and your new password.

If the user exists in IAM but has not completed the First Time User setup process, the user will be required to complete the First-Time User Process with MFA.

1. On the Log in page click the Forgot Password link.
2. When prompted, enter the User ID received in your Welcome email and then click Submit.
3. Click OK on the Email Sent notification message. You will be redirected to the IAM Login page.
4. Check the email address associated with your IAM user account. You will receive an email to reset your password. The link provided in the email is valid for 3 minutes.
5. Click Reset your password.
6. On the Dayforce page, select how you want to log in:
   1. Text Message
   2. Voice Call
7. If you selected the text message option for either your primary or secondary phone numbers, enter the code sent to your phone in the Enter verification code field. If you did not receive the code, click the Resend link to have another code sent to your phone.
8. If you selected the Voice Call to option for either the primary or secondary phone number, enter the voice code in the field provided on the Enter Voice code page. If you did not receive the call, click the Call me with code again link.
9. On the Answer Secret Questions page, enter the answers to your secret questions. The responses that you enter are masked for security purposes. Use caution to avoid typos, misspellings, etc.
10. Click Save and Proceed.
11. On the Set New Password page, enter and confirm your new password. The default password requirements set by Dayforce are that the password:
    1. a.Must be a minimum of 7 characters
    2. b.Must contain at least 3 of the following:
       1. Numbers
       2. Capital letters
       3. Lower-case letters
       4. Special characters including [~`!@#$%^&*()+=|\{}':;.,<>/?[\]""_-]
    3. Is case-sensitive
    4. Can't be the same as your previous 24 passwords
12. Click Save and Proceed.
13. The Password Changed message appears to let you know that the password has been reset successfully. Click OK to return to the Log In page and then enter your username and your new password.

If the user exists in IAM but has not completed the First Time User setup process, the user will be required to complete the First-Time User Process with MFA.

1. On the Log in page click the Forgot Password link.
2. When prompted, enter the User ID received in your Welcome email and then click Submit.
3. Click OK on the Email Sent notification message. You will be redirected to the IAM Login page.
4. Check the email address associated with your IAM user account. You will receive an email to reset your password. The link provided in the email is valid for 3 minutes.
5. Click Reset your password.
   AnMFApage is displayed asking "How would you like to log in?"
6. Click your email address.
   An email is sent to your email address with a security code.
7. On the MFApage, enter the security code you received in your email.
8. Click Login.
9. On the Answer Secret Questions page, enter the answers to your secret questions.
10. Click Save and Proceed.
11. On the Set New Password page, enter and confirm your new password. The default password requirements set by Dayforce are that the password:
    1. a.Must be a minimum of 7 characters
    2. b.Must contain at least 3 of the following:
       1. Numbers
       2. Capital letters
       3. Lower-case letters
       4. Special characters including [~`!@#$%^&*()+=|\{}':;.,<>/?[\]""_-]
    3. Is case-sensitive
    4. Can't be the same as your previous 24 passwords
12. Click Save and Proceed.
13. The Password Changed message appears to let you know that the password has been reset successfully. Click OK to return to the Log In page and then enter your username and your new password.

If the user exists in IAM but has not completed the First Time User setup process, the user will be required to complete the First-Time User Process with MFA.

You can update your MFA settings in IAM using the Multifactor Authentication tab on the My Profile page.

To access your MFA settings:

1. Click the menu button, and then click My Profile.
2. Click the Multifactor Authentication tab.
3. Click Update MFA to launch the multifactor authentication setup process that we described in First-Time User Process with MFA Top.

A Customer IAM Admin user or Implementation Admin user can require a user to go through the first-time user setup by selecting either Send Welcome Email or Send Security Code options on the Users page. For MFA enabled organizations this will cause the user to enter their MFA settings again, thereby resetting them.

With the MFA settings reset, the user must go through the first time user process outlined in First-Time User Process with MFA Top.

If you want to reset only specific information

Dayforce Admins, Implementation Admins, and Customer Admin users can reset a user's MFA settings. The following settings can be reset:

• Primary Phone
• Secondary Phone
• Authy
• Email Address
• All MFA Registration