2-Step Verification

You are dealing with very sensitive data, so we want to provide you with options for extra protection. In addition to your regular password, you can also enable 2-step verification (also known as two-factor authentication). You can add your mobile phone number into Small Improvements, and whenever your account is accessed from a new device, you’ll be asked for a security token that is delivered to your phone.

2-Step Verification is a standard mechanism for securing access to vital systems. You can secure your social media account, your blog, and of course PayPal and your online banking with your phone. Even if a hacker steals your password, they won’t be able to log in from their computers, because each new device requires access to the SMS token.

Here’s what it looks like to a user who just had 2-Step Verification enabled (either by HR, or by themselves). After entering the regular username and password, the user is prompted to enter a mobile phone number. One thing to note: A user will have to log out first to see the message below.

Once entered, the next screen asks for a mobile token, which will be delivered via SMS. Once entered, the user is logged in. The device is now remembered, so the user doesn’t need to enter the code again for 30 days.

Every new device or browser, however, needs to be authorized again. And this is exactly what keeps hackers out: They might have gotten access to a user’s password (even by breaking in into another service which the employee was using the same password for), but since they don’t have an authorized device, they will get stopped at the mobile code screen.

The best way to test 2-Step Verification is to try it out on one sample user account, just so you get a feeling for using the option. Simply navigate to any user’s profile in the company directory list (for instance, one user you just created for testing purposes), and click “Password and Security…”.

To locate the Directory, go toe Administration > Directory, then open the dropdown for a user:

Alternatively, you can enable 2-Step Verification via the user profile. Click “Manage”:

In the “Password and Security” settings, enable “Require 2-Step Verification”:

Once that works, our recommended rollout option is to enforce it for all admin accounts. Just navigate to Administration > Security, and enable 2-Step Verification there:

Once you save it, it is active from the next time your HR Admins log in. HR Admins will be prompted to enter their phone number, and we’ll send them a code (token) to verify they own the number.

By enforcing 2-Step Verification for all admin and HR staff, this applies to future HR people as well, without having to enable 2-Step Verification for them manually. When the HR Admin permission is enabled, the SMS confirmation becomes mandatory.

In addition, you could enforce it for key employees’ accounts as well. At any point you can enable 2-Step Verification for those key people one by one - Just locate them in the company directory and use the admin menu as shown above.

And lastly, you can also allow or enforce everyone to use 2-Step Verification if they like.

If an employee changes their phone number, they’ll need to update their 2-Step settings. This can be done by HR and employees themselves. To achieve that, go to an employee’s profile and click the “Manage” button, then “Password and Security…”:

Clicking “Reset 2-Step Verification” will then reset the process, so they can enter their new phone number during the next login.