Multi-factor authentication is an additional security option that requires additional information/hardware beyond their username and password. In the case of Core HR, we utilize a third-party Authenticator app where a new 6-digit security code is generated every 30 seconds that the user would need to enter in addition to their username and password. If a user does not have enough time to enter a security code, they can wait for the next security code to be generated to try to enter. Each security code is used only once.

There are three options for enabling/declining multi-factor authentication when logging in.

• Administrator-only - Multi-factor authentication will be enabled for each administrator, but not for employees in the system. This is the minimum recommended level of usage for Multi-factor authentication.
• Administrators and Employees - Multi-factor authentication will be enabled for each administrator and all employees in the system.
• Decline Multi-factor authentication Functionality - Multi-factor authentication will not be enabled for administrators or for employees in the system. LICENSEE acknowledges that Multi-factor authentication functionality has been offered and is recommended.

In addition to enabling multi-factor authentication, you will be required to select at least two security administrators. The selected administrators will have permission to make changes to multi-factor authentication settings and reset an employee's multi-factor setup in the event that they do not have access to their original authenticator app (such as losing their phone with the Authenticator app). If an admin is assigned to a role you will need to update the role to have the security administrator setting.

Setting Up/Using Multi-Factor Authentication

1. After signing in, the user will be prompted to set up multi-factor authentication for increased security when signing in to the software if it is their first time. If they do not already have an authenticator installed, the user will download the appropriate application onto their Android/iOS device. When ready, click Recovery Codes.

   

2. They will be prompted with several recovery codes to use if they are unable to use their Authenticator app. These recovery codes must be stored in a safe location(s). Click Configure Authenticator.

   

3. With the Authenticator app on their phone, scan the QR code or enter the key below the QR code. If successful, they will receive a verification code. Enter the verification code into the appropriate Verification Code field and click Verify.

   

4. If successful, they will receive the below message. Return to the login page to sign in.

   

5. From this point forward when signing in to the software, they will be prompted to verify their identity by entering the code that has been generated on their Authenticator app after signing in with their username and password.