We are pleased to confirm the upcoming release of InPay V9.0. This will be available to you on 10 april 2023.
Listening to our users is important to us, and therefore we hope that you find these changes useful, and they help in streamlining your business processes. We always value feedback, so please contact account management if you wish to discuss anything further.
All previous release notes can be found here: InPay release notes.
EVERYTHING APART FROM THE START OF SENTENANCES MUST BE IN LOWER CASE, EVEN NAMES OF COLUMNS OR MODULES. BOLD ALL MODULE NAMES EVEN IF NOT LINKED.
Key highlights
Nest API connection - Internal/External. We are pleased to announce you can now connect via Nest API. You will be able to retrieve opt out information and send over contribution submissions without downloading or uploading data. This will be controlled within InPay with a direct connection to your account with Nest.
Multi-factor authentication Internal/External. We have introduced multi-factor authentication for InPay and our payslip portal. This will be available for all users. Using MFA gives enhanced security for a users' account.
New features:
Multi-factor authentication and administration: what is MFA?,
InPay authentication: how is it set up?, how do users login for the first time?, what happens if I have changed/lost my device?
Payslip portal authentication: how is it set up?, how do users login for the first time?, what happens if I have changed/lost my device?
Improvements:
New features details
Nest API connection - Internal/External
Following on from our People's Pension API connection, you can now connect to NEST. You are able to set this up immediately, with no requirement for switch on. Go to, company - pension schemes and enter your pension provider details. Then within processing - pension process you can enter the login details for NEST. Once connected your opt out information will be available for you to review and upload. You can also send a contribution file to NEST, this will automatically include a joiner's file. We have provided a reporting button, allowing you to download a copy of the data that is being uploaded. For full details on how to use this functionality go to pension process.
NP – 2218 & NP-2322 Multi-factor authentication and administration - Internal/External
What is MFA?
MFA is a two step process. You will log in to InPay and the payslip portal as normal, and then be required to enter a one time password. This password is generated by a mobile application authenticator. These can be downloaded via app stores, the most common ones are google authenticator and microsoft authenticator. When you go into your app, you will be given a one time password (which is time sensitive) to enter into the your login screen. This adds an additional layer of security to your data and login details, based on a password that only you know, and a one time password on a device that only you have.
InPay authentication:
How is it set up?
Firstly, make sure you have an authenticator app already downloaded on to your mobile device. Each individual user will need to have this on their own device.
If you have the security setting in your top menu bar, go to manage users. Search for the user and click edit, or click new if you are setting up the user for the first time. Within details you will see a dropdown field authentication type. Select time-based one-time password. Click save.
How do users login for the first time?
When you log in for the first time, after providing the username and password. You will then be presented with a QR code, and a verification code box. Scan the QR code using the authenticator app you have downloaded. The app will then provide you with a one-time 6 digit verification code, (this is time sensitive) enter the code in the box provided and click next, you will be successfully logged in.
After the initial login, you will no longer see the QR code. Simply enter your username and password you will then be prompted to enter your 6 digit verification code from your authenticator app, click next and you will be logged into InPay.
What happens if I have changed/lost my device?
If you lose or change your mobile device, or have had to reinstall the authenticator application, you may need to have your MFA reset. Within the user details you will have a reset totp authentication button, click this to reset. Once reset, you will follow the steps as above as a first time user. Please speak to your payroll representative, to reset this for you. Internal Payroll wont need to have clients contacting them. Who do they speak to? For Saas what will they do?
The MFA is applicable for both SSO and non SSO user.
| Login Type | Require MFA (if specified against user)? |
| Standard Pay Manager login (logging in with a username and password) | Y |
| Pay Manager login with SSO. Internal only | Y |
| Logging into Pay Manager via SSO from Intime | N |
| Logging into Pay Manager via Client Portal Reports Menu Option | N |
Payslip portal authentication
How is it set up?
Within the company - general screen, we have removed in the payslip portal section, the previous tick box for require two factor email has been removed. You will now see a authentication type dropdown. The options include password only, two factor-email, time-based one-time password.
when the company is configured with "Password Only" authentication type, Payslip Portal Users need to provide Username and Password for Non-SSO and Username alone for SSO Users - This is the same process as the previous "Require Two Factor Email" checkbox un-ticked. DO I NEED THIS? Shall I add it to MFA details?
when the company is configured with "Two Factor - Email" authentication type, Login of Payslip Portal Users goes through 2 step authentication process via Email - This is the same process as the previous "Require Two Factor Email" checkbox is ticked.
New authentication type "Time Based One-Time Password" is introduced.
How do users login for the first time?
Log into the payslip portal with your username and password as normal. You will then be presented with a QR code, and a verification code box. Scan the QR code using the authenticator app you have downloaded. The app will then provide you with a one-time 6 digit verification code, enter the code in the box provided and click next. You will then be logged into the payslip portal.
After the initial login, you will no longer see the QR code. Simply enter your username and password you will then be prompted to enter your 6 digit verification code from your authenticator app, click next and you will be logged into the payslip portal. 
What happens if I have changed/lost my device?
If the payslip portal user has lost the mobile phone or the authenticator app, then the RSM admin users can reset the MFA key via Security→ Payslip Portal Admin.
"Payslip Portal Admin" is a new page introduced specifically to display the payslip portal users details and reset the TOTP Authentication.
Admins can reset the Time Based One Time Password by clicking on "Reset TOTP Authentication" button.
Standard Companies:
Payslip Portal Admin page displays the details of payslip portal users and Authentication Type for a user is derived as follows:
- Non-linked Users: Authentication Type is same as that of "Authentication Type" drop-down value in Company > General page.
- Linked Users: If for one then will be for all.
1. If a user is linked to multiple companies, Two Factor Authentication will be required if at least one company has it enabled.
2. Time-Based One-Time Password takes precedence over Two Factor email. When a user is linked to multiple companies, one with Two Factor Email enabled and one with Time-Based One-Time Password enabled. Time-Based One-Time Password will be required on login in this case.
The MFA is applicable for both SSO and non SSO user and follows the below grid:
If a company has Time-Based One-Time Password enabled, and then this is changed back to "Password Only" or "Two Factor Email" then in the future this is changed back to Time-Based One-Time Password, the users who had previously registered with TOTP will be required to register again. The exception to this is if the user is linked to at least one other company with TOTP enabled at the time Time-Based One-Time Password is disabled.
Improvement details
LIST THEM