This article reviews the Authentication tab of the Security & Permissions page. Here, Users can configure the global Multi-Factor Authentication (MFA) settings, as well as MFA requirements by User Role.
- Note: The Authentication tab (MFA) is only available as part of the R365 Professional Package. Contact your CSM or Account Executive to learn how MFA can enhance your R365 experience!
Article Topics
MFA Overview
Multi-Factor Authentication (MFA) adds an additional layer of security that prompts Users to authenticate their logins. Authentication prompts can be required as frequently as every login or as rarely as every 60 days.
When MFA is enabled, all Users have the ability to opt in to MFA for their User Account. Users who opt in to MFA will have the ability to pick any authentication frequency and may opt out at any time.
To meet the security standards of your organization, it may be necessary to force Users with certain access levels to use MFA. Configuring a User Role to require MFA will ensure that any User with that User Role assigned cannot opt out of the authentication process. User Role ‘Require MFA per device’ settings will also define the minimum authentication frequency. Users will then only be able to adjust their own frequency to be more frequent than the User Role minimum.
MFA Methods are the authentication options that Users have to authenticate their logins, including App, Email, Text, and Phone Call. The global 'Available MFA Methods' setting can restrict the MFA Methods to only the methods your organization wants to support.
As each User logs in for the first time after MFA is required for them, they will be prompted to select an MFA Method. The 'Set Up Authentication' process will walk the User through picking an Authentication Method and the configuration steps for it. After initial configuration, the User can manage their MFA Methods by navigating to their own User Record.
- Note: A User's MFA Methods will be view-only for all other Users viewing that User's User Record.
Security
Users with the following Permission will be able to manage MFA settings:
- Administration → System Setup → MFA Admin
Learn more about managing Permissions and Custom User Roles here. The Permission Access report can be used to determine which User Roles or Users already have these Permissions assigned. Learn more about User Setup and Security here.
MFA Methods
When configuring their MFA Methods, Users will only be able to select 'Allowed' MFA Methods. Any MFA Method that is enabled on the 'Authentication' tab will be available to all Users that require MFA.
- Note: With all MFA Methods, message and data rates may apply
MFA Methods
App - Users will receive an authentication request via a mobile app such as Google Authenticator, Microsoft Authenticator, or Twilio.
- Note: This MFA Method cannot be disabled, and will always be available for Users to choose.
Email - Users will receive a verification code sent to the email address entered at the time of configuration
Text/SMS - Users will receive a verification code sent to the mobile phone number entered at the time of configuration
Phone - User will receive a verification code in a phone call to the phone number entered at the time of configuration
User Role Settings
All Users with User Roles that require MFA will be prompted to authenticate their logins. Authentications can be required as frequently as every login and as rarely as every 60 days. The MFA requirement settings are configured by User Role, allowing for multiple levels of MFA security.
If more than one User Role that requires MFA is assigned to a User, the required authentication frequency options will be limited to the most restrictive frequency.
The MFA configurations per User Role can also be viewed (but not adjusted) on the 'Settings' subtab of the User Role tab.
1) Require MFA by default for all new user roles - When enabled, all new Custom User Roles will be set to require MFA by default with a default frequency of 'Log In'.
- When a Custom User Role is created, it will have the MFA Required (#3) setting turned on
- When a Custom User Role is created, it will have the MFA Required (#3) setting turned off
2) User Role - User Role name. All default R365 User Roles and Custom User Roles are listed
3) Users - Number of Users assigned to the User Role
4) MFA Recommended - When a User Role contains one or more sensitive Permissions, a warning icon 
is displayed to indicate that MFA is recommended for that User Role. Sensitive Permissions include:
- View Hourly Pay Rates
- View Salary Pay Rates
- View Salary Job Info
- View PII
- View Pay History
- View Documents
- View Deductions
- View Taxes
- Print Checks
- Print Checks w/Signature
- Print Checks in Payment Runs
- Print Checks w/Signature in Payment Runs
- Print Paychecks
- Print Paychecks w/Signature
- Approve Payment Runs
- Create/Edit/Delete User Roles & Permissions
- View Vendor Tax IDs for Individuals
- View Bank Account Numbers
5) MFA Required - Indicates if Users who are assigned the associated User Role are required to use MFA when logging in
- MFA is required- Note: If MFA is required for this User Role, this setting will not be adjustable at the User level for any User with this User Role.
- Note: If MFA is required for this User Role, this setting will not be adjustable at the User level for any User with this User Role.
- MFA is not required
6) Frequency - The minimum frequency for how often the User must authenticate their login. On User Records for Users with this User Role assigned, this setting will only be adjustable to more restrictive frequencies.
Options include:
- Log In
- Note: This is the most restrictive frequency, and the User will be required to authenticate their login every time they log in, regardless of how long it has been since their last authentication.
- 1 Day
- 5 Days
- 10 Days
- 15 Days
- 30 Days
- 45 Days
- 60 Days