Multifactor Authentication for the Dayforce application

Tip: This page is for customers using Dayforce Time and Attendance for Powerpay.

Multifactor Authentication (MFA) is an electronic authentication method in which a user is granted access to an application only after successfully presenting two or more types of evidence to verify their identity. In Dayforce, this evidence is knowledge (the user’s credentials) and possession (a mobile phone or land line that has been registered with the user’s Dayforce account). Prompting the user to verify their identity in this manner safeguards the user’s personal information in targeted security attacks because even if a user’s credentials are compromised, the malicious actor will still be required to provide the possession evidence to access Dayforce.

Anchored in modern technology, MFA provides organizations peace of mind for the overall security of their systems from unauthorized access to confidential and critical data while saving unexpected costs for security. The primary benefits of Dayforce MFA include:

  • Reducing the risk of security breaches by providing multi-step authentication for accessing sensitive data

  • Providing peace of mind for your employees by demonstrating your commitment to protecting their personal information.

  • Deploying MFA across your organization easily and without incurring additional costs.

To encourage the use of additional security measures, a set of native multifactor authentication features are added to Dayforce, focusing on quick and easy configuration and registration processes.

Key Features

  • MFA features are integrated directly into the Dayforce platform with no need to establish a relationship or contract with a third party.

  • Registration by end-users is fast and simple.

  • MFA is applied to Dayforce native authentication (Dayforce-specific credentials) users in the web application based on their current role(s), including support for Pre-Start new hire and Terminate roles.

  • During the authentication process, users can verify their identities using four options:

    • Using the Authy mobile app

    • SMS text message or voice call

    • Authenticator App Code

    • Email

Tasks

When multifactor authentication (MFA) is enabled, users who currently have any of the roles included in the MFA configuration are required to complete the registration process the next time they sign into the Dayforce web application. Users are not able to bypass the registration process if it is required.

  1. Log into Dayforce as usual.

    After your credentials are verified, the login process checks your current roles to determine if any require multifactor authentication. If your role is subject to MFA, and you are not yet registered, you are directed to the MFA registration wizard.

    Important: When MFA registration is required, your Dayforce session will not start until the registration is complete. When the registration is complete, the registration wizard will then direct you to your usual starting point within Dayforce.

  2. Set up Multifactor Authentication.

    1. Select your preferred verification method.

    2. Click Continue.

      The wizard prompts you to provide information to verify your identity.

  3. Add Contact Information to verify your identity for your verification method.

    1. Enter a phone number, then you choose text message or voice call as the method for receiving the one-time code.

    2. Click Continue.

    3. Enter the code received in the Verification Code field. Your phone number is now verified. You also have the option to enter a secondary phone number.

    4. Click Continue.

    5. Set up Twilio Authy App using the links to the App Store or Google Play using your verified phone number.

      Note:

      If you skip this process, you can still access Dayforce as you have at least one phone number that can be used to verify your identity. However, if the Twilio Authy registration process is not completed, that verification option is not available.

      1. Resend the Verification Code via text message or voice call by clicking on the appropriate link.

      2. (Optional) Enter a secondary phone number.

        Note:

        To complete these steps at a later time:

        1. Go to the Security page.Closed From the Main menu, select Profile > Settings > Security.

        2. Scroll down to the Multifactor Authentication section.

        3. Click Edit.

        4. Follow the steps for Twilio Authy set up.

    1. Enter a phone number, then choose text message or voice call as the method for receiving the one-time code.

    2. Enter the code received in the Verification Code field. Your phone number is verified and is used for multifactor authentication.

    3. Resend the Verification Code via text message or voice call by clicking on the appropriate link.

    4. (Optional) Enter a secondary phone number.

    1. Set up the Authenticator by creating an account in your Authenticator app using either Method 1 or 2:

      • Method 1: Manually enter the Secret Key and Account that is displayed.

      • Method 2: Scan the QR Code displayed.

    2. Once you’ve created your account, return to the original screen to continue.

    3. Enter the one-time password that was sent to your Authenticator app, when prompted.

    1. Enter an email address.

      A code is emailed to you from sender [email protected].

    2. Click Continue.

    3. Enter the code in the Verification Code field when prompted.

      Note: The code expires in 10 minutes. Click the Resend Verification Code link to send it again.

    4. Click Continue.

    5. If you do not receive the email, check your spam folder, and add [email protected] to your address book.

  1. Go to the Security page.Closed From the Main menu, select Profile > Settings > Security.

  2. Scroll down to the Multifactor Authentication section.

    Your registered method for MFA is displayed.

  3. Click Edit to set up a new MFA method and/or change the information used for verification.

Administrators can search for registered Dayforce MFA users and act on their registration details using the User Management page.Closed From the Main menu, select System Admin > Multifactor Authentication > User Management. This page is designed for application-wide administration of MFA registration details and the primary uses of this screen are to:

  • remove a company phone number from a user so it can be reallocated.

  • remove a phone number or email registration so the user can register a new phone number or email

  • remove the Twilio Authy App or Authenticator App registration so the user can register a new device or a different verification method

  • completely remove the user’s registration to force them to re-register.

A filter panel allows the administrator to search for one or more users using information available from the user MFA registration process. The filter results include the phone numbers used in the registration process and indicates if the user has set up the Authy mobile app or Authenticator app.

  1. Go to the User Management page.Closed From the Main menu, select System Admin > Multifactor Authentication > User Management.

  2. Select one or more users by checking the box to the left of their name.

    The Reset MFA menu button allows the administrator to select an appropriate action from among the following:

    • Reset Primary Phone – Removes the primary phone number from the user’s registration. It is important to note that this action also removes the user’s Authy mobile app registration (if it exists) because it is linked to the user’s primary phone number. Also, if a secondary phone number exists, it is made primary to ensure the options presented to the user the next time identity verification is required are properly reflected. After this action, the user can be directed to update their registration as needed using the Multifactor Authentication section of the Security page.Closed From the Main menu, select Profile > Settings > Security.

    • Reset Secondary Phone – Removes the secondary phone number from the user’s registration. Following this action, the user can update their registration as needed using the Multifactor Authentication section of the Security page.Closed From the Main menu, select Profile > Settings > Security.

    • Reset Authy – Removes the Authy mobile app information from the user’s MFA registration. After this action, the user can complete MFA using the options available based on their registered phone numbers (SMS or voice call). If necessary, the user can be directed to update their registration using theMultifactor Authentication section of the Security page.Closed From the Main menu, select Profile > Settings > Security.

    • Reset Authenticator App – Removes the Authenticator app from the user’s registration.

    • Reset Email – Removes the email address from the user’s registration.

    • Reset All MFA Registration – Completely removes the user’s MFA registration details from Dayforce. If the user is still subject to MFA, they are prompted to complete the setup process again the next time they login to Dayforce.