Contents
- Login details
- Authentication
- What is MFA? Why is it important?
- How often will users have to enter multi-factor authentication?
- How do authenticator apps work?
- What authenticator app should we use?
- What happens if someone changes or loses their phone?
- What happens if someone can't get the code from the app to work?
- We don't provide mobile devices and our users don't want to use personal devices - is there another option?
- Security
Advanced SSO and MFA FAQs for admins
Updated
by Katy Harrison
- Login details
- Authentication
- What is MFA? Why is it important?
- How often will users have to enter multi-factor authentication?
- How do authenticator apps work?
- What authenticator app should we use?
- What happens if someone changes or loses their phone?
- What happens if someone can't get the code from the app to work?
- We don't provide mobile devices and our users don't want to use personal devices - is there another option?
- Security
What is SSO?
Single Sign-on (SSO) is a user authentication method that makes it easy to centrally manage application access and enables users to securely authenticate with multiple applications by using just one set of credentials. SSO not only makes it easy to centrally manage access to multiple applications or user accounts, but it also enables users to sign into a user portal with their existing corporate credentials and access all their assigned accounts and applications from one place.
Some of our products (like Care Cloud, Advanced Financials and Advanced HR) have SSO already. You may hear this referred to as Advanced SSO or ASSO. We are introducing multi-factor authentication via our MyWorkplace platform.
You can read more about SSO, MFA and why it's important in our short explainer.
Login details
Someone has forgotten their username
You can check someone's username by going to Users in MyWorkplace, then searching for the person by name. You will see their username in the first column.
Someone has forgotten their password
Users can reset their own password by going to the login page and entering their username or email address. They will see an option for 'Forgot password'. Clicking on this button will send them an email with a link to set a new password.
See how to reset a user's password for them here.
Authentication
What is MFA? Why is it important?
You can read about MFA and why it's important in our short explainer.
How often will users have to enter multi-factor authentication?
If your organisation is using the MFA functionality provided by Advanced SSO, users will have to enter an MFA code each time you log into an Advanced application. This applies to all logins, including those due to inactivity and expired sessions. The frequency of MFA challenges can't be modified.
You can set up SSO between your Advanced organisation and another identity provider, such as Microsoft Azure Active Directory, Google Identity, or Okta. This means users can use their existing login details to access their Advanced account, and it means the settings for multi-factor authentication are controlled by your organisation separately from Advanced SSO.
Read our guide on setting up a federation.
How do authenticator apps work?
Authenticator apps are applications that generate time-based, one-time passcodes (TOTP or OTP) that can be used for multi-factor authentication. They work by storing a secret key provided by the service they are trying to access, and using it to create a six- to eight-digit code that changes every 30-60 seconds.
Advanced SSO uses the same algorithm to generate a code based on the current time and the secret key, and compares it to the code from your app. If the codes match, you are granted access.
Because the code is generated based on the current time and a shared secret key, it is unique and can only be used once, making it more secure than traditional static passwords. This enhances the security and convenience of logging in to apps and platforms.
What authenticator app should we use?
Users can use any authenticator app but your may want to choose a preferred option and communicate this with your users. These are some popular options.
Encryption | Platforms | Cloud backup | Offline support | Benefits | |
All your data is safely stored offline on your device. If you're using cloud sync, the communication between your phone and your cloud backup or browser is end-to-end encrypted by default. | Android, iOS, and browser extension | Yes | Yes | + Simple and easy to use + Encrypted cloud backups to iCloud or Google drive | |
Stores an encrypted copy of your accounts in the cloud. The account is encrypted/decrypted inside your phone so neither Authy or anyone affiliated with Authy have access to your accounts. | Android, iOS, Windows, macOS, Linux | Yes | Yes | + The encrypted cloud backup means only you can ever access your information - Requires you to enter your phone number so it's not as independent as the other app options | |
Not end-to-end encrypted when connected to your Google account. You can use offline for more secure encryption. | Android, iOS, Chrome | Yes | Yes | + Connects to your existing Google account + Can use alongside Google Password Manager | |
Passwords in the cloud are encrypted and decrypted only when they reach your device. | Android, iOS | Yes | Yes | + Connects to your Microsoft account + Includes a lot of extras, including password management, verified IDs, addresses and payment card information + Backs up in the cloud if you turn on account recovery |
What happens if someone changes or loses their phone?
Users may be able to transfer MFA accounts to a new phone, or access cloud backups, depending on which authenticator app they are using.
You can reset a user's MFA settings to allow them to set up a new authenticator app. Go to Edit user, then on the user details tab click on the Reset MFA settings button on the right.
The next time the user goes to the login screens they will be taken through the steps to set up MFA again.
What happens if someone can't get the code from the app to work?
If a user is setting up MFA for the first time, they might have accidentally entered an incorrect code. They should delete the account in their authenticator app, re-scan the QR code to create a new account in the app, then enter the new code.
If they have used MFA to login before, they should wait for a new code to be generated and try again. Authenticator apps create a new code every 30 or 60 seconds.
If they still can't get access to your account, you can reset their MFA settings. Go to Edit user, then on the user details tab click on the Reset MFA settings button on the right. They can then go to the login screens and set up the authenticator app again. This should resolve the issue.
If this still doesn't work, they can contact the app provider for support or you can contact Advanced Support for assistance.
We don't provide mobile devices and our users don't want to use personal devices - is there another option?
You have the option to allow users to use email for multi-factor authentication. This means a code would be sent to the email address connected to their Advanced account.
You may not want to allow this option because it is not as secure as using an authenticator app. If you choose to allow email MFA, you should help your users make this as secure as possible by encouraging them to enable MFA on their email account, and use a different password for their email account and Advanced account.
Security
Is our data safe?
We're asking everyone to use multi-factor authentication to access their Advanced software so that we can ensure your data is safe from malicious attacks. Using two forms of authentication increases security and can help prevent unauthorized account access, especially in the situation where passwords may have been compromised. Your users will most likely have experience of MFA in their personal lives when accessing online banking, transacting online or accessing other apps.
How can we prevent admins from getting locked out when MFA is turned on?
The best thing you can do to make sure you don't lose access to your system is to establish at least two accounts that have permissions to manage users and MFA settings. This way, if one account is locked out, you can use the other account to restore access.
See how to manage admin permissions here. You can always contact us through Advanced Support if you lose access.
Some of our users access Advanced applications from shared devices, how does Advanced SSO work then?
Your users can still use your Advanced applications as normal from shared devices once you're using Advanced SSO. Just make sure that they log out when they're done and close any browser windows as they normally would. This will end their session and the next person to use the device will be directed to log in with their own details.
You can end a user's session and log them out from the Sessions tab in Users.
Who do I contact for support?
Contact Advanced Support if you need further help to solve your problem.
Never share a verification code with anyone else.
