Multi-Factor Authentication - General Availability
With Multi-factor Authentication (MFA), Cornerstone provides support for time-based one-time passwords (TOTP), the most widely adopted two-step verification method and considered a secure method for MFA. Organizations can use this simple, smart, and secure two-factor authentication (2FA) solution to strengthen authentication into the Cornerstone standard login process.
Multi-factor Authentication includes the following features:
- There are no dependencies on 3rd party providers or tools
- This solution uses open, documented, and secure standards
- Users can use a company smartphone or their device, following company policies
- The solution is highly configurable based on Location OU, Division OU, or individual users
- It is easy for administrators to configure for quick enablement and rollout to a specific portal
- The MFA page adopts the branding from the initial login page for login pages created with the Custom Login Page tool
- MFA is independent of any existing or new single sign-on (SSO) integration. This MFA solution can also run in parallel to SSO.
MFA was previously available to customers as Early Adopter functionality while we continued to add essential new features. With the July ’24 Release, MFA is now considered generally available.
With the July ’24 Release, the Partner Access Administration page now includes tools for administrators to review MFA-related information for partner accounts and remove an existing MFA device from a partner account.
Partner Access Administration
A new MFA option is now available from the Partner Access Administration page. Administrators with appropriate permissions can select this option for a partner to view MFA-related information and remove an existing MFA device from the account.
This may be necessary if a partner cannot log in anymore because the existing registered mobile device is broken or unavailable. After the administrator removes the mobile device, the partner can register a new one as part of the initial login process.
To access Partner Access Administration, go to .
To view or remove a partner's registered Multi-factor Authentication device, select the Options drop-down and select the MFA option for the partner.
Integration Guide
Click here to download the Multi-factor Authentication Implementation Guide.
Considerations
- When adding new OUs in the MFA Configuration page, all previously selected OUs must be re-selected. Otherwise, they will be removed from the list. We will improve this behavior in an upcoming release.
- The following features are currently not supported:
- External Candidates (Recruiting)
- Cornerstone CSX mobile application
- Support for email or SMS/text-message authentication
- Self-Registration (Extended Enterprise) - Initial login and user creation is not supported, but MFA is supported for all subsequent logins
- E-Signature features, such as training completion, where the user must sign with Cornerstone credentials
- The copy-down process (from Production to Pilot/Stage) copies the MFA configuration, not individual mobile device registrations. End users who are required to log in with MFA must register a new mobile device while they log in to the Stage or Pilot portal for the first time.
Implementation
MFA can be self-activated via Core Preferences > Feature Activation Preferences. Once activated, administrators can configure the functionality via Core Preferences > Multi-Factor Authentication.
Glossary
- MFA (Multi-factor Authentication) - This is a verification method in which users must verify their identity in multiple ways, such as user name and password and an authentication code.
- TOTP (Time-based One-time Password) - This is the most widely adopted two-step verification method and uses hardware the user already owns. This second layer of security is linked to a service by scanning a QR code displayed on the website or manually entering a code. Once the app and the web service are synchronized, the login process requires two steps: entering a username and password and confirming the one-time passcode generated by the software token.
Permissions
The following existing permissions apply to this functionality:
| PERMISSION NAME | PERMISSION DESCRIPTION | CATEGORY |
| Access Partner Authorization - Manage | Grants ability to manage partner authorized access to portal via Partner Access Administration. This permission cannot be constrained. This is an administrator permission. | Core Administration |
| Core Features Activation | Grants ability to manage Core Feature Activation Preferences in which administrators can enable and disable certain features. This permission cannot be constrained. This is an administrator permission. | Core Administration |
| MFA - Admin - User Device - Manage | Grants the ability to manage the user device information for Multi-factor Authentication. This permission works with the MFA - Admin - User Device - View permission. Administrators can delete devices for user records within their constraints. This permission can be constrained by OU, User's OU, User's Self, User Self and Subordinates, and User. This is an administrator permission. | Core Administration |
| MFA - Admin - User Device - View | Grants the ability to view the user device information for Multi-factor Authentication. Administrators can view the page for user records within their Users - View permission constraints, and additional constraints can be added to this permission. This permission can be constrained by OU, User's OU, User's Self, User Self and Subordinates, and User. This is an administrator permission. | Core Administration |
| MFA Authentication Preferences - Manage | Grants the ability to view and configure Multi-factor Authentication (MFA) preferences. This permission cannot be constrained. This is an administrator permission. | Core Administration |
| MFA Authentication Preferences - View | Grants the ability to view the Multi-factor Authentication (MFA) preferences. This permission cannot be constrained. This is an administrator permission. | Core Administration |