Multi-Factor Authentication (MFA)

Multi-Factor Authentication (MFA) improves account security in that any login to a user account requires a one-time passcode in addition to the username and password. The one-time passcode (OTP) is required once every seven days for each device, and can be received by email, SMS message, or an app-based token. MFA is strongly recommended for all user accounts, and is required for manager and administrator roles.

Caution: MFA is required for manager-role user accounts. You cannot turn off MFA for these accounts.

Note: MFA applies only to Basic and not to Federated Authentication. MFA is required for Basic Authentication, and this topic describes how to set up and use MFA only for Basic Authentication. For Federated Authentication, single-sign on (SSO), or authentication by way of other applications, refer to the Authentication topic or the documentation for those other applications.

By default, MFA is turned on for all user accounts. You can turn off MFA only for employee user accounts, however it is strongly recommended that these accounts use MFA.

Caution: MFA is required for manager-role user accounts. You cannot turn off MFA for these accounts.

Note: MFA is required for Seed user accounts but not for API-only user accounts.

  1.  The administrator must have the MFA required access control point (ACP) turned on as follows:

    Note: For details, see the Manager - Common Setup ACPs topic.

    1. Click Tap Main Menu Administration > Application Setup > Access Profiles > Function Access Profiles
    2. Select the profile and click tap Edit.
    3. Select ManagerCommon Setup.
    4. In People Editor > Access user account > MFA required — In Access Scope, select Allowed to allow a manager or administrator to override multi-factor authentication (MFA) in People Information for an employee.
    5. Click Tap Save.
  2. Turn off MFA for an employee as follows:
    1. Click Tap Main Menu Maintenance > People Information.
    2. Select the employee.
    3. In Information > Employee Status, clear MFA Required.
    4. Click Tap Save .
  3. Turn on MFA for an employee as follows:
    1. Click Tap Main Menu Maintenance > People Information.
    2. Select the employee.
    3. In Information > Employee Status, select MFA Required.
    4. Click Tap Save .

Alternatively, you can turn off or turn on MFA for employees by either of the following methods:

  • Use the Person Update or Update Multiple Persons API with MFA Required set to False or True.
  • Use the Data Import Tool as described in the Use the Data Import Tool topic.

The one-time passcode (OTP) is a string of numbers that is derived from a secret seed password that registers a device. This passcode is valid for a short period of time. The two factors — passcode and time limit — ensure that the OTP is always changing and always secret, except to the service that registers the device.

The OTP is sent as follows:

  • By email (default) if the email address of the user account is in People Information.
  • By SMS message if the phone number of the account is in People Information, and your organization has the contract and part number for the SMS application.
  • By app-based token, if the mobile device is registered as follows:

    Turn on OTP by token

    1. Install an authenticator on your device as follows:
      • Navigate to the Apple App Store or the Google Play Store.
      • Search for, download, and install an authenticator app. The recommended authenticators are ForgeRock Authenticator and Google Authenticator.
    2. When you log in, do the following:
      • You must select Token as the method when you first use MFA.
      • Scan the QR code according to the documentation for the authenticator and click tap Next.
      • Enter the verification code that the app displays and click tap Submit.
    3. If the device is not available when you log in:
      • Click Tap Use recovery code.
      • Record and store the recovery codes or take a screenshot of this screen for backup authentication if the device is missing, damaged, or lost.
      • Click Tap Log In.

Account lockout and OTP

(Only if MFA is enabled) If an account is locked because of too many failed attempts to log in with an OTP, do the following:

  1. Select the employee in the Timecard or schedule. Select Maintenance > People Information > Employee.
  2. In Account Locked select Enabled to manually lock the account.
  3. Save the changes.
  4. Select the employee again.
  5. In Account Locked, select Disabled to manually unlock the account.
  6. Save the changes.

When you log in to UKG Pro Workforce Management:

  1. Enter your User Name and Password, and click tap Log In.
  2. Select one of the configured methods to receive the one-time passcode (OTP) — Email, SMS message, or app-based soft Token — and click tap Log In. Wait to receive the passcode.
  3. Enter the One Time Passcode and click tap Log In.