In today's digital landscape, protecting sensitive data within cloud-based platforms like Workday is paramount. As more organizations leverage these platforms for critical HR and financial information, robust security measures become imperative. MFA emerges as a powerful solution, bolstering security beyond traditional password protection.
MFA implements a two-step verification process. While usernames and passwords remain the initial access point, MFA introduces a secondary authentication factor, significantly strengthening the overall security posture. This additional layer can take various forms, including:
The initial step in this process is to choose which authentication techniques to use. Whereas Workday provides various methods, including:
Reflecting on the various methods of MFA is like examining a toolbox filled with different tools to secure your digital world. Each method serves a unique purpose, offering its own blend of security and convenience.
Pro Tip
For distinct user groups, you can activate various forms of MFA:
i. Security Access Configuration
Before enabling MFA in a Workday tenant, there's a crucial prerequisite: ensuring users have the necessary security access to relevant domains for the task and any additional actions.
Here's a breakdown of this prerequisite:
Relevant Domains
Depending on the chosen MFA method (e.g., SMS verification, authenticator app integration), access to specific Workday domains might be required. The following domains house the settings and configurations related to that particular MFA method.
Pro Tip
The Signons and Attempted Signons report is a powerful tool for monitoring user access and MFA usage within your Workday environment. By leveraging this information, you can ensure a more secure login environment and potentially improve MFA adoption rates.
ii. Tenant Configuration
Prerequisite: After getting security access, you must set up MFA providers in the tenant before you can specify them on authentication policies except for challenge questions.
Pro Tip
IT Admins can use Workday's MFA management features, such as exemptions, grace periods, and policy resets, by configuring edit Workday account tasks for individual users. This allows you to achieve a balance between security and user experience. Remember, a well-managed MFA implementation strengthens your Workday security posture without creating unnecessary hurdles for legitimate users.
After enabling the provider/providers, the user must create authentication rules. Workday uses these authentication rules to establish the prerequisites for sign-in for various user groups, which are defined by the security groups to which the users are assigned. You can have many authentication rules in your authentication policy.
Steps
1. Navigate to the Manage Authentication Policies report and edit the authentication policy to which you want to add your authentication rules.
2. To create a new blank authentication rule, click the addition (+) symbol located in the leftmost column of the Authentication Ruleset grid. One blank authentication condition is automatically included in a new authentication rule.
3. Name the rule by entering its name in the Authentication Rule Name field.
4. Choose which unconstrained security groups you want the rule to apply to in the Security Group box.
5. Name the authentication condition by entering its name in the Authentication Condition Name field. The remaining columns' fields apply to this authentication requirement.
6. In the Authentication Conditions column, select a condition under which members of the selected security groups can access Workday:
7. Choose the first authentication type that satisfies the set authentication criterion under the Allowed Authentication Types column.
For MFA, choose any of the following:
Note: Workday automatically selects any, which means that users meeting the authentication condition can sign in to Workday using any available authentication type. To restrict access, select “None” to block access using all available authentication types, or select Specific and configure at least one authentication type.
8. After adding all the necessary authentication requirements to the rule, arrange them in the order you want Workday to analyze them.
Workday automatically prompts users when they sign in using any MFA method. Workday shows the backup codes at the conclusion of the setup process if you choose to use them as an authentication factor. Workday advises you to give your users instructions on how to capture and safely preserve their backup codes. For one-time passcode emails, Workday automatically prompts users to verify the email address to which Workday will send one-time passcodes the first time they sign in. For the one-time passcode SMS, when users log in, Workday prompts them to set up an SMS one-time passcode automatically. Users pick a cell provider during setup. They also choose the cell phone number that Workday will use to text them one-time passcodes via SMS from a list of numbers.
In summary, using MFA to secure sensitive data in Workday is a proactive way to reduce security threats and protect important data. Organizations may strengthen their defenses, adhere to legal requirements, and give staff members a safe environment in which to access and handle sensitive data by implementing MFA. Investing in strong security measures such as MFA is not only necessary but also strategically vital for enterprises that aim to protect their digital assets and uphold stakeholder confidence, given the ongoing evolution of cyber threats.
