Keeping your WhosOff account secure

WhosOff has a number of different ways you can help to keep the account secure, ranging from implementing a stricter password policy, enforcing MFA (Multi Factor Authentication), account lock out after incorrect login attempts and more.

Throughout the article, we'll explore the different options available and how you can set this up on your WhosOff account.

MULTI FACTOR AUTHENTICATION (MFA)

 Multi Factor Authentication (MFA) is a common security process that requires 2 or more methods of verification to prove a user's identity when logging into an account or system. In WhosOff you can enable MFA on your account so that when you go to login with your standard WhosOff credentials, a further challenge can either be sent to you via Email or via a dedicated Authenticator app (Google / Microsoft etc.).

Utilising MFA on the account can either be forced, at a company level, or individually opted into by each user.

• Login to your WhosOff account
• Click on Administration on the left hand menu
• Click on Company Settings
• On the resulting page, click on the Security tab
• From here, use the Force MFA? drop-down option and select Yes
• Then click Save Changes

Going forward, each of your users will be sent a One Time Password to the email address registered on their WhosOff account each time they login to the system. They can opt to change this method to Authenticator App if needed, though they will not be able to disable MFA whilst enforced at a company level.

Super Users can choose to individually opt specific users out of the MFA practice, should they need to. 

Opting into MFA individually

If MFA is not enforced at a company level, users can choose to opt into this should they wish to at any time within their own WhosOff account.

• Login to your WhosOff account
• Click on your [NAME] in the top right hand corner of the page
• Click on My Details/Settings
• On the resulting page click on Staff Profile (located to the left of the page)
• From here, use the Multi-Factor Authentication (MFA) option and select either Email or Authenticator

You may choose to receive your authentication code by a dedicated authenticator app. Google, Microsoft, and many other sources provide these apps, which can be downloaded to your mobile phone. Once you open your authenticator app, you can follow its process to add a new application - this will involve scanning the QR code generated by WhosOff in your My Details / Settings area.

Please note that if you set up MFA by Authenticator, and then change this choice (either setting MFA to None, or changing to Email authentication), you will need to re-add WhosOff to your authenticator app by scanning the QR code again, should you choose to change back to the Authenticator setting.

Once you have set up WhosOff in your authenticator app, you will see it generate a One Time Password (OTP), which will change every 30 seconds.

 Useful to know - You are able to ask the system to resend the email when trying to login with MFA enabled, however you can only do initiate 1 email every 10 minutes. 

IMPLEMENTING LOGIN/LOCKOUT POLICIES

As a standard within WhosOff, each users' password must be at least 8 characters long. Some companies may prefer to enforce a more stricter password policy so therefore you can expand on the standard parameters in place and enforce that all passwords require to be at least 12 characters long, including at least 1 alpa, 1 numeric and 1 special character.

This will affect any new users added onto the system, as well as any existing users the next time they try to change their password.

You might also want to prevent repetitive login attempts should they fail each time, to further lock down the WhosOff account. So in the system you can also choose to implement a lockout policy, whereby after 5 unsuccessful login attempts, the user will be prevented from trying again for 30 minutes, or unless unlocked by an account Super User.

• Login to your WhosOff account
• Click on Administration on the left hand menu
• Click on Company Settings
• On the resulting page click on the Security tab
• From here, under Login / Lockout Policies you have 2 options available
  • Enforce extended password policy (optional)
  • Enforce lockout policy (optional)

These don't have to be activated at the same time, you can choose to enable one, both or neither. 

Unlocking users who are locked out 

If a user has locked themselves out of their account, due to 5 unsuccessful login attempts, a Super User will be able to unlock their account from within the system itself. They can do this by:

• Login to your WhosOff account
• Click on Administration on the left hand menu
• Click on Manage Staff
• Find and click on the required users' [Name]
• Then click on  Profile on the resulting page
• Immediately on screen you will see a notice stating that the user has been locked out due to unsuccessful attempts to login, along with the time they are locked out until.
• You can then click on Unlock Account to re-enable their access straight away.

Useful tip - When unlocking a users account, you may want to generate a temporary password to help them get back in, simply click on Generate & Send New Password to do so. 

Forgot your password processes will not work when a users' account is locked - they will need to wait until 30 minutes have expired, before attempting to reset their password 

USING SSO (SINGLE SIGN ON) AND ENFORCING IT

If your company is using an external SSO (Single Sign On) provider within the company already, you can connect it to WhosOff to take complete control over application access. You can even activate FORCE SSO to ensure that users can only login to WhosOff using their SSO credentials.

Further guidance is provided on each provider that you can integrate with WhosOff in separate articles, or can also be found on our website.

To initiate SSO (Single Sign On) in your WhosOff account:

• Login to your WhosOff account
• Click on Administration on the left hand menu
• Click on Company Settings
• On the resulting page click on the Single Sign On tab
• From here you can select the provider you wish to connect to WhosOff and click on Activate SSO
• Proceed to the follow the necessary guidance on screen and within your provider itself to finalise the connection.