Two-factor authorization is enabled at the password policy level so it can be turned on for only some users. After you generate the necessary Duo Security keys, you can enable two-factor authentication in Dayforce.
To enable two-factor authentication in Dayforce:
- Go to System Admin > Password Policy and click the Two Factor Authentication tab.
- Copy and paste the keys that you generated in Duo into the appropriate fields:
- Note: The keys shown below are samples only.
-
- Adding these keys integrates Dayforce with the organization's Duo account. This task only needs to be performed once.
- Click Test keys to validate the keys.
- Select Enable DUO Universal Prompt for a more simplified and modern authentication experience. For more information on Duo's universal prompt, see the following URL: https://guide.duo.com/universal-enrollment.
- Important: Selecting this checkbox ensures the DUO service is not interrupted as the provider transitions to its latest functionality and begins deprecating older screens.
- Click Save.
- Click the Password Policy tab.
- Select the password policy you want to enable two-factor authentication for.
- In the Two Factor Authentication section, select the Require Two Factors checkbox.
- In the same section, select one of the following options in the Two Factor Failure Mode drop-down list:
- Select the Open option and, in the rare case where the TFA provider isn’t accessible, users will still be able to login with just their user name and password.
- Select Closed option and if the provider isn’t accessible, users will not be able to log in until the provider becomes accessible again.
- Note: To control network traffic, Dayforce pings Duo once every five minutes and then caches that result. This means a five-minute lag could occur before Dayforce knowing that Duo's availability has changed. If Duo becomes unavailable after a successful ping but before verifying a user's device, the user will be unable to log in as if the Closed option were selected.
- Click Save.