You are dealing with very sensitive data, so we want to provide you with options for extra protection. In addition to your regular password, you can also enable mobile token security. Just enter your mobile phone number into Small Improvements, and whenever your account is accessed from a new device, you’ll be asked for a token that is delivered to your phone.
About 2-Step Verification
2-Step Verification is a standard mechanism for securing access to vital systems. You can secure your Twitter account, your blog, and of course PayPal and your online banking with your phone. Even if a hacker steals your password, they won’t be able to log in from their computers, because each new device requires access to the SMS token.
But pure SMS tokens may not work if you’re in a remote area, or outside the country. So we use a service called Authy, which turns your phone into a secure token generator as well. Just download a mobile app for iOS or for Android, and you can create tokens without mobile reception.
End user screens
Here’s what it looks like to a user who just had 2-Step Verification enabled (either by HR, or by themselves). After entering the regular username and password, the user is prompted to enter a mobile phone number. One thing to note – a user will have to logout first to see the message below.
Once entered, the next screen asks for a mobile token. This can get delivered by SMS, or by installing the app Authy and having the code generated by the app. Once entered, the user is logged in. The device is now remembered, so the user doesn’t need to enter the code again for 30 days.
Every new device or browser however needs to get authorized again. And this is exactly what keeps hackers out: They might have gotten access to a user’s password (even by breaking in into another service which the employee was using the same password for), but since they don’t have an authorized device, they will get stopped at the mobile code screen.
Enable for individual users
The best way to test 2-Step Verification is to try it out on one sample user account, just so you get a feeling for using the option. Simply navigate to any user’s profile in the company directory list (for instance one user you just created for testing purposes), and click “Password and Security”
To locate the Directory visit the Administration tab and Directory, then the drop-down:
And you can enable 2-Step Verification on the user profile as well. Click “Manage.”
On the “Password and Security” menu, click “Enable 2-step Verification”
Roll-out to all employees
Once that works, our recommended rollout option is to enforce it for all admin accounts. Just navigate to Administration > Security, and enable 2-Step Verification there.
Once you save, it is active from the next time your HR Admins login. HR Admins will be prompted to enter their phone number, and we’ll send them a code (token) to verify they own the number.
By enforcing 2-Step Verification for all admin and HR staff, this applies to future HR people as well, without having to enable 2-Step Verification for them manually. When the HR Admin permission is enabled, the SMS or App token becomes mandatory.
In addition, you could enforce it for key employee’s accounts as well. At any point you can enable 2-Step Verification for those key people one by one- Just locate them in the company directory and use the admin menu as shown above.
And lastly, you can also allow or enforce everyone to use 2-Step Verification if they like.
Disabling or resetting 2-Step
If an employee changes their phone number, they’ll need to update their 2-Step settings. You can help by going to that person’s profile and clicking the Manage button, then “Password and Security”.
Uncheck the “Enable 2-Step Verification” setting, then re-enable it. Your employee will be asked to enter a new verification phone number when they next log in.