In this topic
- Introduction
- What is Multifactor Authentication (MFA)?
- Is MFA mandatory for everyone?
- How do I set up MFA?
- Do I have to provide an authenticator code every time I login?
- What are the supported authenticator apps?
- What if I do not have access to a mobile device for MFA?
- How do I Reset my authentication?
- Why won’t the code from my app work?
- Why won’t the code in my email work?
Introduction
This topic describes how multi-factor authentication (MFA) has been implemented in Ready pay (powered by ePayroll).
What is Multifactor Authentication (MFA)?
Multifactor Authentication (MFA) is a security methodology that requires you to provide more then one factor when verifying your identity. This makes it much more difficult for someone else to gain access to your information.
An MFA system requires that each user provide at least two methods of authentication to verify their identity before they are allowed access to a system.
Each method must come from a different one of three ‘factor’ groups:
- Something you know - e.g. a password, personal information
- Something you are - e.g. a fingerprint, retina scan
- Something you have - e.g. a mobile phone, a swipe card
When you log in to Ready pay (powered by ePayroll) and enter your username and password, you satisfy the ‘something you know’ factor.
By entering an MFA code from your authenticator app, you prove that you have the device that you configured it on, satisfying the ‘something you have’ factor.
Is MFA mandatory for everyone?
Yes, MFA is mandatory for everyone. As per ATO’s Operational Framework guidelines, all users accessing payroll software must have MFA enabled. You can read more about the guidelines here.
How do I set up MFA?
You will prompted to set up MFA the first time that you log in to Ready pay (powered by ePayroll). The MFA Step by Step help topic contains more information on the individual steps.
Do I have to provide an authenticator code every time I login?
This will depend on the type of MFA that you have configured.
Authenticator app
If you use an authenticator app, then you do not need to enter your code every time you log in unless you want to.
Ticking the Remember Me check box will remember you on your web browser for the following 24 hours so that you do not need to enter a code next time that you log into that web browser.
However, if you access the application through a different browser or from a different computer you will be prompted to provide an authentication code when logging in.
Email Authentication
If you use email to receive an MFA code, then you will need to enter your code every time you log in.
Email is typically accessible from anywhere using a username and password, so only really proves that you have a second ‘something you know’ factor, which comes from the same ‘factor’ group as your Ready pay (powered by ePayroll) username and password. Strictly speaking isn’t true/valid MFA.
Email MFA is intended to be a back up method to be used if you don’t have a smart phone or if you have one but cannot access it (temporarily). It’s not intended to be the primary authentication method, particularly for people who are logging in regularly.
For this reason, if you choose to use email authentication there is no option to ‘remember’ the current device and you will be required to request a code be emailed to you each time you log in.
What are the supported authenticator apps?
Our MFA solution works with Microsoft Authenticator and Google Authenticator apps. However, any authenticator app which complies with RFC6238 is compatible. For example Authy, Okta Verify and LastPass.
What if I do not have access to a mobile device for MFA?
If you do not have access to a mobile device for MFA, you can choose to receive an email code instead.
This method is primarily intended as an alternate of way of authenticating temporarily. It is not intended to be the primary method of authentication.
To use email MFA:
- If you are setting up for the first time, click the ‘Use Email Instead’ link at Step 2 of the Setup wizard.
- If you have already set up MFA and want to receive a code via email as a once off, click the ‘Use Email Instead’ link when prompted to enter your authenticator code.
How do I Reset my authentication?
You may wish to reset your MFA, for example, if you have lost your mobile device or want to invalidate sessions where you have ‘remembered’ your MFA log in.
To reset your MFA:
- Click on My Account from the navigation menu
- Click on Multifactor from the drop down
- Click on Reset MFA button in the MFA status widget
- Click on Proceed with Logout in the confirmation dialog.
You will be asked to enter your login credentials and will be prompted to re-configure MFA.
Why won’t the code from my app work?
The most likely reason that your code is not working is that the time on your mobile device is set incorrectly.
The code that is generated by your authenticator app is a time-based one time password (OTP). Each OTP code in your authentication app is generated using a ‘shared secret’ (think of this like a password) and the date/time on your mobile device. The code that is generated expires 30 seconds after the time that it is generated.
When you enter your MFA code into Ready pay (powered by ePayroll), we generate our own 6 digit OTP code using the same ‘shared secret’ and the current date/time on the server. We check that the OTP code that we generated is the same as the one that you entered
Since each code from the app is only valid for 30 seconds, if the time on your device is different to the one on the server by more than 30 seconds, then the generated codes will be different and you will not be be able to log in.
To ensure that the codes that your authenticator app generate are valid, you should ensure that the time on your device is correct. Configuring your mobile device to set the date and time automatically will ensure that the time on your mobile device stays correct.
Why won’t the code in my email work?
The most likely reason that your code is not working is that it has expired.
Email codes are valid for 30 minutes from the time they are generated. If your email takes a while to arrive, the 30 minute ‘counter’ will have started earlier than the time that you received the email, so your code may expire less than 30 mins after you receive it.
An email code is also expired automatically if a subsequent request for an email code is made. For example, if you click the ‘email code’ button twice you will receive two emails, but only the later email will have a valid code because it would’ve have invalidated the first code.