Mandatory Two Factor Authentication for Kiosk Users
COMING SOON - before 31st July.
To meet ATO requirements, CloudPayroll will soon make Two Factor Authentication (2FA) mandatory for all Kiosk users to protect employee Personal Identifiable Information (PII). Currently, CloudPayroll supports Time-based One Time Password (TOTP) 2FA, which uses an authenticator app. Soon, a second option—email authentication—will be introduced.
With email authentication, employees receive a unique code via email each time they log in, which they enter on the Kiosk to complete login. No setup is required for employees with a valid email address; it will activate automatically once 2FA is enforced. Employees already using TOTP will continue with it, but if they lose access to their app (e.g., damaged phone), they can request a login code via email instead of needing a 2FA reset. Employees using email authentication can switch to TOTP at any time.
What Can You do to Prepare for Mandatory 2FA?
We recommend checking that all employees have valid kiosk email addresses. To do this, go to People > Tools > Kiosk Management in CloudPayroll. Invalid addresses will be highlighted, and a warning will appear.
Employees can update their own email address in their Payslip Kiosk by going to My Account > Email/Username in the Kiosk.
If they cannot log in due to an invalid email (used as their username), you can update it for them in the Kiosk Management page—this may also update their username.
What Will Login Look Like for Your Employees?
Once 2FA becomes mandatory, employees will be prompted with a new verification screen after entering their username and password when logging into their CloudPayroll Kiosk.
At the same time, a verification code will be sent to the email address associated with their kiosk account.
Employees should enter the code into the ‘Authentication code’ field and click ‘Verify’ to complete the login process. Once verified, they will be directed to their CloudPayroll Kiosk Dashboard.
If the email hasn’t arrived, employees can click the ‘I didn’t get a code’ link below the ‘Authentication code’ field to request a new one.
As noted earlier, if an employee has TOTP (Time-Based One-Time Password) enabled but doesn’t have access to their authenticator app, they can choose the ‘Or email me a verification code…’ option to receive a code via email instead.
Mobile App Users
The verification process in the mobile apps will follow a similar flow. Employees will see a screen to enter their email verification code. If TOTP is enabled, they’ll also be prompted to enter their TOTP code, with the added option to request a verification code via email if needed.
A verification code is only required the first time an employee logs into the mobile app using their username and password.
After setting up their PIN, they’ll simply use that PIN for future logins.
Related Articles
Make Two-Factor Authentication Compulsory
This article is for Paymasters, Primary Group users, Primary Partner users and Primary Affiliate users. Important: CloudPayroll is required by the ATO to mandate the use of multi-factor authentication for organisation users by 30th September 2018. ...Introduction to Two-Factor Authentication
Important: CloudPayroll is required by the ATO to mandate the use of multi-factor authentication for organisation users by 30th September 2018. This article covers a basic overview of two-factor authentication: What is two-factor authentication? How ...Disable Two-Factor Authentication for a User
This article is for Paymasters, Primary Group users, Primary Partner users and Primary Affiliate users. Note: If 2FA is optional for a user, and they need to change or remove their existing 2FA setup, they can disable their 2FA. See Disable or reset ...Reset Two-Factor Authentication for a User
This article is for Paymasters, Primary Group users, Primary Partner users and Primary Affiliate users. Note: If 2FA is compulsory for a user, and they need to change their existing 2FA setup, they must reset their 2FA. See Disable or reset ...Set up Two-Factor Authentication
Note: Use these instructions to set up two-factor authentication if you do not access the Kiosk via smartphone. If you access the Kiosk using a smartphone, see Set up two-factor authentication to access the Kiosk on a smartphone. This article covers: ...