Multi Factor Authentication (Early Adopter)
Cornerstone is excited to support time-based one-time passwords (TOTP), the most widely adopted two-step verification method and considered a secure method for multi-factor authentication (MFA). This smart and secure two-factor authentication (2FA) solution builds stronger authentication into the Cornerstone CSX standard login process.
Multi-factor Authentication includes the following features:
- No dependencies to 3rd party providers or tools
- This solution uses Open, documented, and secure standards
- Users can use a company smartphone or their device, following company policies
- Highly configurable solution based on Location OU, Division OU, or individual Users
- Easy for admins to configure for quick enablement and rollout to a specific portal
- The solution is independent of existing or new single sign-on (SSO) integrations. The MFA solution can also run in parallel to SSO.
MFA was previously available in stage portals only during the Open Beta phase. With the March ’24 Release, MFA moves to the Early Adopter phase, and administrators can activate it in pilot and production portals.
The following new features are available with the March '24 release:
- Corporate Branding - The initial MFA login page adopts the branding from login pages created with the Custom Login Page tool
- Skip on subsequent logins - A new administrator setting enables organizations to skip the multi-factor authentication on subsequent logins
MFA is ready for testing as of February 29.
Two Factor Authentication
When this functionality is enabled, users are prompted for an authentication code after entering their username and password. The customer's authentication application generates the authentication code.
Considerations
- When adding new OUs in the MFA Configuration page, all previously selected OUs needs to be re-selected, otherwise they will be removed from the list. This will be improved with the July release.
- The following features are currently not supported:
- External Candidates (Recruiting)
- Cornerstone CSX mobile application
- Support for email or SMS/text-message authentication
- Self-Registration (Extended Enterprise) - Initial login and user creation is not supported, but MFA is supported for all subsequent logins
- E-Signature features, such as training completion, where the user must sign with Cornerstone credentials
- The copy-down process (from Production to Pilot/Stage) copies the MFA configuration, not individual mobile device registrations. End users who are required to log in with MFA must register a new mobile device while they log in to the Stage or Pilot portal for the first time.
Integration Guide
Click here to download the Multi-factor Authentication Implementation Guide.
Implementation
This functionality can be self-activated via Feature Activation Preferences. Once activated, administrators can configure the feature via Multi-Factor Authentication Preferences.
The permissions are automatically granted to the default System Administrator role upon enablement. Administrators must grant these permissions with the appropriate constraints to other roles, if necessary.
MFA is not ready to test at the start of UAT. Customers are encouraged to not activate this feature at the start of UAT; it is targeted to be ready for testing with the UAT 2 deployment to stage portals.
Workflow to Determine if MFA is Required for a User
The Cornerstone MFA solution uses the following process to check the MFA Configuration settings and identify which users need to log in with MFA:
MFA User Login Workflow
Frequently Asked Questions (FAQs)
No. An email address is not required.
Cornerstone MFA supports only one secret key, which will be created and associated with the user while registering a new device. Usually, this means one mobile device per user.
However, it is possible to register multiple devices by simply re-using the same QR code or secret key. For example, when a user registers a mobile device using the QR code, the user can register two mobile devices using the same QR code.
The account will not be locked after failed attempts. However, after three attempts, the user must log in with their username and password again for authentication.
There could be a delay of up to 15 minutes due to various caching mechanisms before the new MFA configuration takes effect.
The user must contact the CSX administrator through an offline process such as email or an internal ticketing system. The CSX administrator has two options:
- Remove the device from the user so the user must register a new device as part of the first-time login process.
- Add the user to the individual exception list for a certain period so the user does not need to log in with MFA temporarily and can replace the device in My Account.
Yes. Regardless of whether a user has registered the MFA device using a QR code or manually using the secret unique key, the user can store the unique key securely.
If a user loses access to the authentication app, they can use the secret key to register a new device and regain access to their account.
No. There is no impact. MFA affects the standard login process but does not impact any existing integration via APIs.
The CSX MFA solution supports the TOTP algorithm, which many applications support. There is no way to authorize or block specific TOTP applications. However, customers can create and point to a custom MFA online help page with clear instructions to end users on which authentication applications should be used following your corporate policies.
No. The default is 24 hours, and this is not configurable.
Glossary
- MFA (Multi-factor Authentication) - This is a verification method in which users must verify their identity in multiple ways, such as user name and password and an authentication code.
- TOTP (Time-based One-time Password) - This is the most widely adopted two-step verification method and uses hardware the user already owns. This second layer of security is linked to a service by scanning a QR code displayed on the website or manually entering a code. Once the app and the web service are synchronized, the login process requires two steps: entering a username and password confirming the one-time passcode generated by the software token.
Permissions
The following new permissions apply to this functionality:
PERMISSION NAME | PERMISSION DESCRIPTION | CATEGORY |
Core Features Activation | Grants ability to manage Core Feature Activation Preferences in which administrators can enable and disable certain features. This permission cannot be constrained. This is an administrator permission. | Core Administration |
MFA - Admin - User Device - Manage | Grants the ability to manage the user device information for Multi-factor Authentication. This permission works with the MFA - Admin - User Device - View permission. Administrators can delete devices for user records within their constraints. This permission can be constrained by OU, User's OU, User's Self, User Self and Subordinates, and User. This is an administrator permission. | Core Administration |
MFA - Admin - User Device - View | Grants the ability to view the user device information for Multi-factor Authentication. Administrators can view the page for user records within their Users - View permission constraints, and additional constraints can be added to this permission. This permission can be constrained by OU, User's OU, User's Self, User Self and Subordinates, and User. This is an administrator permission. | Core Administration |
MFA Authentication Preferences - Manage | Grants the ability to view and configure Multi-factor Authentication (MFA) preferences. This permission cannot be constrained. This is an administrator permission. | Core Administration |
MFA Authentication Preferences - View | Grants the ability to view the Multi-factor Authentication (MFA) preferences. This permission cannot be constrained. This is an administrator permission. | Core Administration |