Multi Factor Authentication (Open Beta)

Cornerstone is excited to introduce support for time-based, one-time passwords (TOTP), the most widely adopted two-step verification method, which is considered a secure multi-factor authentication (MFA) method.

TOTP is generated by a software token and is an Internet Engineering Task Force (IETF) standard. It is the most convenient and accessible to implement because it runs on hardware that the user already owns.

Multi-factor authentication includes the following key features:

  • There are no dependencies on 3rd-party providers or tools
  • This solution uses open, documented, and secure standards
  • Users can use a company smartphone or their device, following company policies
  • The solution is highly configurable, based on Location OU, Division OU, or individual Users
  • It is easy for administrators to configure for quick enablement and rollout to a specific portal
  • The solution is independent of any single sign-on (SSO) integration. The MFA solution can run in parallel to SSO.

This functionality will be released in a post-release patch.

How Does this Enhancement Benefit My Organization?

This enhancement provides a simple, smart, and secure two-factor authentication (2FA) solution to build stronger authentication into the Cornerstone CSX standard login process.

Two Factor Authentication

When this functionality is enabled, users are prompted for an authentication code after entering their username and password. The customer's authentication application generates the authentication code.

Considerations

  • Currently, MFA is only available in English.
  • Currently, MFA is only available in Cornerstone's branding, including the background and logo.
  • The following features are currently not supported:
    • Cornerstone CSX mobile application
    • External Candidates (Recruiting)​
    • Support for email or SMS/text-message authentication
    • Self-Registration (Extended Enterprise) - Initial login and user creation is not supported, but MFA is supported for all subsequent logins
    • E-Signature features, such as training completion, where the user must sign with Cornerstone credentials

Implementation

This functionality can be self-activated.

This functionality is targeted to be available in stage portals with the December 1 patch. MFA is not available in production portals during the Open Beta.

Additional documentation will be available in the MFA Open Beta Community. Beta Community Link: Beta Community

This functionality will be released in a post-release patch.

The new permissions are automatically granted to the default System Administrator role upon enablement. Administrators must grant this permission with the appropriate constraints to other roles, if necessary.

Glossary

  • TOTP (Time-based One-time Password) - This is the most widely adopted two-step verification method and uses hardware the user already owns. This second layer of security is linked to a service by scanning a QR code displayed on the website or manually entering a code. Once the app and the web service are synchronized, the login process requires two steps: entry of username and password and confirmation of the one-time passcode generated by the software token.
  • MFA (Multi-factor Authentication) - This is a verification method in which users must verify their identity in multiple ways, such as user name and password and an authentication code.

Permissions

The following new permission applies to this functionality:

PERMISSION NAME PERMISSION DESCRIPTION CATEGORY
MFA - Admin - User Device - Manage Grants the ability to manage the user device information for Multi-factor Authentication. This permission works in conjunction with the MFA - Admin - User Device - View permission. Administrators can delete devices for user records within their constraints. This permission can be constrained by OU, User's OU, User's Self, User Self and Subordinates, and User. This is an administrator permission. Core Administration
MFA - Admin - User Device - View Grants the ability to view the user device information for Multi-factor Authentication. Administrators can view the page for user records within their Users - View permission constraints, and additional constraints can be added to this permission. This permission can be constrained by OU, User's OU, User's Self, User Self and Subordinates, and User. This is an administrator permission. Core Administration
MFA - Administration - Manage Grants the ability to view and configure Multi-factor Authentication (MFA). This permission cannot be constrained. This is an administrator permission. Core Administration
MFA - Administration - View Grants the ability to view the Multi-factor Authentication (MFA) configuration. This permission cannot be constrained. This is an administrator permission. Core Administration

The following existing permissions apply to this functionality:

PERMISSION NAME PERMISSION DESCRIPTION CATEGORY
Users - View Grants the ability to search for and view summary information about users in the portal via the Admin/Users screen. This permission can be constrained by OU, User's OU, User Self and Subordinates, and Users. If multiple constraints are added, these constraints are considered OR statements. This is an administrator permission. Core Administration