Multi Factor Authentication (Early Adopter)
Cornerstone is excited to support time-based one-time passwords (TOTP), the most widely adopted two-step verification method and considered a secure method for multi-factor authentication (MFA). This smart and secure two-factor authentication (2FA) solution builds stronger authentication into the Cornerstone CSX standard login process.
Multi-factor Authentication includes the following features:
- No dependencies to 3rd party providers or tools
- This solution uses Open, documented, and secure standards
- Users can use a company smartphone or their device, following company policies
- Highly configurable solution based on Location OU, Division OU, or individual Users
- Easy for admins to configure for quick enablement and rollout to a specific portal
- The solution is independent of existing or new single sign-on (SSO) integrations. The MFA solution can also run in parallel to SSO.
MFA was previously available in stage portals only during the Open Beta phase. With the March ’24 Release, MFA moves to the Early Adopter phase, and administrators can activate it in pilot and production portals.
The following new features are available with the March '24 release:
- Corporate Branding - The initial MFA login page adopts the branding from login pages created with the Custom Login Page tool
- Skip on subsequent logins - A new administrator setting enables organizations to skip the multi-factor authentication on subsequent logins
MFA is ready for testing as of February 29.
Two Factor Authentication
When this functionality is enabled, users are prompted for an authentication code after entering their username and password. The customer's authentication application generates the authentication code.
Considerations
- When adding new OUs in the MFA Configuration page, all previously selected OUs needs to be re-selected, otherwise they will be removed from the list. This will be improved with the July release.
- The following features are currently not supported:
- External Candidates (Recruiting)
- Cornerstone CSX mobile application
- Support for email or SMS/text-message authentication
- Self-Registration (Extended Enterprise) - Initial login and user creation is not supported, but MFA is supported for all subsequent logins
- E-Signature features, such as training completion, where the user must sign with Cornerstone credentials
- The copy-down process (from Production to Pilot/Stage) copies the MFA configuration, not individual mobile device registrations. End users who are required to log in with MFA must register a new mobile device while they log in to the Stage or Pilot portal for the first time.
Integration Guide
Click here to download the Multi-factor Authentication Implementation Guide.
Implementation
This functionality can be self-activated via Feature Activation Preferences. Once activated, administrators can configure the feature via Multi-Factor Authentication Preferences.
The permissions are automatically granted to the default System Administrator role upon enablement. Administrators must grant these permissions with the appropriate constraints to other roles, if necessary.
MFA is not ready to test at the start of UAT. Customers are encouraged to not activate this feature at the start of UAT; it is targeted to be ready for testing with the UAT 2 deployment to stage portals.
Workflow to Determine if MFA is Required for a User
The Cornerstone MFA solution uses the following process to check the MFA Configuration settings and identify which users need to log in with MFA:
MFA User Login Workflow
Frequently Asked Questions (FAQs)
Does a user require an email address to log in with MFA?
No. An email address is not required.
How many MFA devices can each user register?
Cornerstone MFA supports only one secret key, which will be created and associated with the user while registering a new device. Usually, this means one mobile device per user.
However, it is possible to register multiple devices by simply re-using the same QR code or secret key. For example, when a user registers a mobile device using the QR code, the user can register two mobile devices using the same QR code.
What is the maximum number of MFA secret code attempts, and will the user account be locked after multiple failed MFA code attempts?
The account will not be locked after failed attempts. However, after three attempts, the user must log in with their username and password again for authentication.
When modifying an MFA configuration, how long does it take before the changes made by an administrator take effect?
There could be a delay of up to 15 minutes due to various caching mechanisms before the new MFA configuration takes effect.
What should a user do if they must log in with MFA, but the MFA code does not work, or the mobile device is no longer available?
The user must contact the CSX administrator through an offline process such as email or an internal ticketing system. The CSX administrator has two options:
- Remove the device from the user so the user must register a new device as part of the first-time login process.
- Add the user to the individual exception list for a certain period so the user does not need to log in with MFA temporarily and can replace the device in My Account.
Is it possible to restore a device using the Secret Unique Key?
Yes. Regardless of whether a user has registered the MFA device using a QR code or manually using the secret unique key, the user can store the unique key securely.
If a user loses access to the authentication app, they can use the secret key to register a new device and regain access to their account.
If MFA is enabled for all users, is there any impact on service accounts used for integrations and APIs?
No. There is no impact. MFA affects the standard login process but does not impact any existing integration via APIs.
Is it possible to authorize a single authentication application? For example, can my organization authorize users to use only Authentication App 1 but block Authentication App 2 and 3?
The CSX MFA solution supports the TOTP algorithm, which many applications support. There is no way to authorize or block specific TOTP applications. However, customers can create and point to a custom MFA online help page with clear instructions to end users on which authentication applications should be used following your corporate policies.
The "skip on subsequent logins" feature defaults to 24 hours. Is this configurable?
No. The default is 24 hours, and this is not configurable.
Glossary
- MFA (Multi-factor Authentication) - This is a verification method in which users must verify their identity in multiple ways, such as user name and password and an authentication code.
- TOTP (Time-based One-time Password) - This is the most widely adopted two-step verification method and uses hardware the user already owns. This second layer of security is linked to a service by scanning a QR code displayed on the website or manually entering a code. Once the app and the web service are synchronized, the login process requires two steps: entering a username and password confirming the one-time passcode generated by the software token.
Permissions
The following new permissions apply to this functionality:
| PERMISSION NAME | PERMISSION DESCRIPTION | CATEGORY |
| Core Features Activation | Grants ability to manage Core Feature Activation Preferences in which administrators can enable and disable certain features. This permission cannot be constrained. This is an administrator permission. | Core Administration |
| MFA - Admin - User Device - Manage | Grants the ability to manage the user device information for Multi-factor Authentication. This permission works with the MFA - Admin - User Device - View permission. Administrators can delete devices for user records within their constraints. This permission can be constrained by OU, User's OU, User's Self, User Self and Subordinates, and User. This is an administrator permission. | Core Administration |
| MFA - Admin - User Device - View | Grants the ability to view the user device information for Multi-factor Authentication. Administrators can view the page for user records within their Users - View permission constraints, and additional constraints can be added to this permission. This permission can be constrained by OU, User's OU, User's Self, User Self and Subordinates, and User. This is an administrator permission. | Core Administration |
| MFA Authentication Preferences - Manage | Grants the ability to view and configure Multi-factor Authentication (MFA) preferences. This permission cannot be constrained. This is an administrator permission. | Core Administration |
| MFA Authentication Preferences - View | Grants the ability to view the Multi-factor Authentication (MFA) preferences. This permission cannot be constrained. This is an administrator permission. | Core Administration |