Multifactor for InPay and payslip portal
- Kelly Collins
What is MFA?
MFA is a two-step process. You enter your username and password as usual within your login screen and then you are asked to enter a one-time password. This password is generated by a mobile application authenticator. These can be downloaded via app stores, the most common authenticators are google authenticator and microsoft authenticator, but others are available.
When you use the authenticator, you will be given a one-time password (which is time sensitive) to enter in the login screen. This adds an additional layer of security to your data and login details, based on a password that only you know, and a one-time password on a device that only you have.
If you are using your own single sign on provider to log in to our systems, and/or have your own MFA set up, you may not require RSM's multi-factor to be set up.
MFA can be used alongside single sign on if you wish to add another level of security. When a user clicks on the single sign on button, they will be presented with the verification box to enter a code.
Please note:
If as a user, you are linked to multiple companies and one company has MFA this will be applied to all companies you log into within InPay.
If a company has time-based one-time password enabled, and this is changed to password only or two factor email, and then back to time-based one-time password, any users who had previously registered with TOTP will be required to register again.
InPay authentication: how is it set up?, how do users log in for the first time?, what happens if I have changed/lost my device? when can I use MFA?
Payslip portal authentication: how is it set up?, how do users log in for the first time?, what happens if I have changed/lost my device? when can I use MFA?
Multi-factor authentication and administration
InPay authentication:
InPay authentication will allow all users of InPay to sign in with their username and password and then be asked for a one-time password. If you are accessing InPay from RSM InTime you will not need MFA, as single sign on is activated. However, you can still set up MFA for an InPay user. If they log in via the InPay log in screen they will use MFA, if they are accessing InPay via RSM InTime they will only use the SSO option.
MFA for InPay is user specific, so not all users will need to have this applied.
How is it set up?
To be able to activate this for users, you will need to be an InPay admin user. If you have the security setting in your top menu bar, go to manage users.
Search for the user and click edit, or click new if you are adding a new user. You will see the dropdown field authentication type, select time-based one-time password, click save.
The user will now be required to log in via MFA.
How do users log in for the first time?
Firstly, make sure you have an authenticator app already downloaded on to your mobile device. Each individual user will need to have this on their own device.
When you log in for the first time, you will enter your username and password. Then you will then see a QR code, and a verification code box.
Scan the QR code using the authenticator app you have downloaded. The app will then provide you with a one-time 6 digit verification code, (this is time sensitive) enter the code in the box provided and click next, you will be successfully logged in.
After the initial login, you will no longer see the QR code. Simply enter your username and password and you will then be prompted to enter your 6 digit verification code from your authenticator app, click next and you will be logged into InPay.
What happens if I have changed/lost my device?
If you lose or change your mobile device, or have had to reinstall the authenticator application, you may need to have your MFA reset. Only an InPay admin user with access to manage users can do this.
Within the user details there is a reset totp authentication button, click this to reset. Once reset, follow the how do users login for the first time? steps above.
When can I use MFA?
You may have single sign on activated, multi-factor authentication can still be used with certain single sign on options.
| Login type | Can use MFA with this login type? |
| Standard InPay login (logging in with a username and password) | Y |
| Logging into InPay via SSO from InTime | N/A |
| Single sign on via your own portal | Y |
Payslip portal authentication
You can set multi-factor authentication up for users of the payslip portal. When selecting this option, it will apply to all users of the payslip portal as it is set at company level. Please make sure that all users are notified about this change, as they will need to have an authenticator on a mobile device to be able to log in to the portal.
How is it set up?
Within the company - general screen we have removed the previous tick box require two factor email. You will now see an authentication type dropdown. The options include password only, two factor-email, time-based one-time password. Once you have set this, all users will be required to use MFA to access the payslip portal.
How do users log in for the first time?
Log into the payslip portal with your username and password as normal. You will then see a QR code, and a verification code box. Scan the QR code using the authenticator app you have downloaded. The app will then provide you with a one-time 6 digit verification code, enter the code in the box provided and click next. You will then be logged into the payslip portal.
After the initial login, you will no longer see the QR code. Simply enter your username and password you will then be prompted to enter your 6 digit verification code from your authenticator app, click next and you will be logged into the payslip portal.
What happens if I have changed/lost my device?
If the payslip portal user has lost their mobile device or the authenticator app, you will need to reset their MFA key via security - payslip portal admin. Only someone with an administrator role will have the security menu.
You can use the search field or the page buttons at the bottom of the screen to search for users. There is a column that highlights the type of authentication the user has.
To reset a user's time-based one-time password, click reset TOTP authentication button.
When can I use MFA?
The MFA is applicable for both SSO and non SSO user and follows the below grid:
| Login Type | Can use MFA with this login type? |
|---|---|
| Standard payslip portal login (entering username & password) | Y |
| InPay - payslip - impersonate | N/A |
| InTime to payslip portal SSO | N/A |
| SSO into payslip portal via credentials own security - Payslips portal SSO screen | Y |