Setting Up MFA for Employee Portal
These instructions outline how to set up multi‑factor authentication (MFA) for Employee Portal (EP). MFA applies to each device and browser used to access EP.
Before You Begin
Before you begin using MFA with EP, you must first ensure that each user has a primary email address associated with their account. Although PrismHR accepts both personal and work email for every user, MFA requires that either the personal or work email is designated in the system as the primary email. For MFA with short message service (SMS), users must have a cell phone number in the system.
To determine if users have a primary email, run the User Report (available from the
Reports menu
in PrismHR). To determine if users have a cell phone number, run the Employee Contact Information Report (available from the
Reports menu
in PrismHR).
The User Report lists the primary email of every user.
The Employee Contact Information Report lists the cell phone number of every user.
If the Email Address field is blank, the user has no primary email. The user may have provided a work or personal email (or both) in the system. But if the email field is blank on the User Report, this indicates that the user does not have a primary email.
To select a primary email and enter a cell phone number for a user:
| 1. | On the Employee Details form, click the Address tab. |
| 2. | Enter a Cell Phone number for SMS. |
| 3. | In the Work Email or Personal Email field, select the Primary option. |
| 4. | Click Save. |
Email Template and Email Service for MFA
Multi-factor authentication requires your organization to set up a message template and associate it with the MFA passcode email service.
To create the message template:
| 1. | Click  (Back Office). |
| 2. | From System|Change, select Message Templates. The Message Templates form opens. |
| 3. | Complete the following: |
|
Use this option |
To define this |
|---|---|
|
Message ID |
A message ID for the template. For example, MFA. |
|
Description |
A description of the template. For example, MFA Template. |
|
Content Type |
TEXT or HTML. |
|
Subject |
A subject line for emails using the template. |
|
Body |
The body of the message. Be sure to include the <<KEY>> substitution variable in the message. This is what the user enters when they log in with multi‑factor authentication. |
| 4. | Click Save. |
To associate the message template with the MFA passcode email service:
| 1. | Click (Back Office). |
| 2. | From System|Change, select System Parameters. The System Parameters form opens. |
| 3. | In the Action Menu ( ), select Email Services. The Email Services form opens. |
| 4. | In sMFA Email, enter an email address that recipients will see when they receive an email for multi‑factor authentication. This does not need to be an actual, monitored email account. However, you can use a monitored account to enable users to communicate if they have a problem. |
| 5. | In the table, create a new line. |
| 6. | From the Template Type list, select MFA Passcode. |
| 7. | In the Template column, enter the ID of the template you created. The Description displays. |
| 8. | Click Save. The System Parameters form displays. |
| 9. | Click Save. |
System-Level MFA
As a service provider, you must enable MFA for EP independently from the MFA settings for PrismHR. MFA for EP is not automatically enabled.
At the system level, MFA for EP affects all managers and employees at all worksites. However, client‑level and user‑level settings can override system-level settings. The MFA device expiration period applies to all levels of authentication.
| 1. | In PrismHR, click (Back Office). |
| 2. | From System|Change, select System Parameters. The System Parameters form opens. |
| 3. | In the Action Menu (), select Authentication Services. The Authentication Services form opens. |
| 4. | Select an option for the sMFA Device Expiration for Employee Portal period. |
After the number of days specified, EP users are prompted to request an authorization.
| 5. | In sMFA Security Code Access, select from the Allowed sMFA Methods: |
| • | Email—enabled by default and cannot be removed |
| • | SMS—select this option to enable MFA with SMS in addition to email |
Note: SMS security code access is only available at the system level. The SMS update applies to both PrismHR and EP.
| 6. | Click Save. The System Parameters form displays. |
| 7. | Click Save. |
If you enable this option, all users who access EP must re‑authenticate their access after the specified time interval for each device they use. The system prompts them to request an authentication code, which it sends to the email address associated with their EP user account. Then the user can enter the authentication code to regain access to EP.
Client-Level MFA
Enabling MFA at the client level affects all managers and employees of the client. However, user‑level settings can override client‑level settings.
Note: If a user works for multiple clients and at least one of those clients has enabled MFA, the user is prompted for MFA. This is the system default, unless MFA is explicitly disabled at the user level.
| 1. | In PrismHR, select the client for whom you want to enable MFA. |
| 2. | Click the CLIENT menu. |
| 3. | From Client|Change, select Client Details. The Client Details form opens. |
| 4. | In the Action Menu (), select Security. The Client Security form opens. |
| 5. | In the Access panel, select an option for MFA Device Expiration for Employee Portal for this client. |
If you enable this option, all users associated with this client who access EP must re‑authenticate their access after the specified time interval for each device they use. The system prompts them to request an authentication code, which it sends to the email address associated with their user account. Then the user can enter the authentication code to regain access to EP.
| 6. | Click Accept. The Client Details form displays. |
| 7. | Click Save. |
User-Level MFA
Enabling MFA at the user level affects each specified user only. Note that MFA settings for EP do not apply to single sign-on (SSO) integrations. If an SSO user is logged in to PrismHR and selects the My Employee Portal option, the user is not prompted for MFA, even if it is enabled for that user.
Note: Note that at the user level, MFA settings apply to both PrismHR and EP.
| 1. | In PrismHR, click (Back Office). |
| 2. | From System|Change, select Users. The Users form opens. |
| 3. | Enter the User ID for the manager or employee. |
| 4. | In the Status panel, select an option for sMFA Device Expiration for this user. |
If you enable this option, this user must re‑authenticate their access after the specified time interval for each device they use. The system prompts them to request an authentication code, which it sends to the email address associated with their user account. Then the user can enter the authentication code to regain access to the system.
| 5. | Click Save. |
Contact 