Setting up two-factor authentication for ESS administrators

As part of our ongoing commitment to continuously retain a high level of security within the application, we have introduced the ability to enable Two Factor Authentication (2FA) on ESS Administrator accounts.

Previously, a single Administrator account was configured within the application. Now users can instead designate PayGlobal User Profiles to be able to access ESS as an administrator.

If a User Profile is designated as an ESS Admin, that user will be prompted to register for 2FA by following the steps provided on screen when next signing into ESS. Once 2FA is setup by the user, each time they attempt to sign in they will be asked for their secret code (in addition to their password) - this provides an extra layer of security.

This guide is to help outline some of the changes around Two Factor Authentication for ESS Administrators, as introduced in ESS 5.4.2.0.

To set up a user profile in PayGlobal to access the ESS Admin site

In PayGlobal navigate to Administration > Security > User Profiles and open the record of the User Profile you wish to make an ESS Admin.
Navigate to the Self-Service tab and set ‘Self-Service Admin’ to ‘Yes’.
Save and Close the record.

To sign into ESS Admin for the first time

Navigate to the ESS Admin site (for example: https://localhost/ESS/BaseForm.aspx?_view=AdminLogin.Login)
Enter your Username and Password of the PayGlobal User Profile.
Select the ‘Sign In’ button.
You will be presented with a form to ‘Register for Two-Factor Authentication’. You can proceed in one of two ways:
1. Use an authenticator application on your smartphone (E.g. Google Authenticator) to scan the on screen QR code; or
2. Enter the 16-character code (provided below the QR code) into an authenticator application manually (see documentation for the specific application you are using for more information).
Enter the code that is returned into the field labelled ‘Enter Code’ from step 4 above.
Select the ‘Confirm’ button.
You will now be logged into the ESS Administration site.

To sign into ESS Admin with 2FA already set up

Navigate to the ESS Admin site (for example: https://localhost/ESS/BaseForm.aspx?_view=AdminLogin.Login)
Enter your Username and Password of the PayGlobal User Profile.
Select the ‘Sign In’ button.
You will be presented with a form to ‘Confirm Two-Factor Authentication’. Enter the code from your authenticator application into the field labelled ‘Enter Code’.
Select the ‘Confirm’ button.
You will now be logged into the ESS Administration site.

PayGlobal password requirements

As ESS Administrator accounts are now tied to PayGlobal User Profiles, password complexity and requirements from PayGlobal will now apply to both – with some exceptions.
As per PayGlobal Company settings, the following fields are now respected for ESS Administrator passwords:

‘Minimum password size’
‘Password must change after’
‘Enforce password history’

The following fields on Company Settings do NOT apply to ESS Administrator Passwords:

’Unused login expires after’ - in this case when the conditions are met, PayGlobal will prevent the profile from logging in - however the profile will still be allowed access into ESS Administrator.

The following User Profile settings that restrict access into PayGlobal will also impact ESS Administrator accounts:

‘Termination Date’
‘Must change password’
‘Password never expires’
‘Locked out’
Terminated employee assigned to the User Profile (Details > Employee Code)

The ESS log files will provide further information if you find you cannot log into ESS Administrator as an applicable User Profile.

To reset 2FA for a specific PG user profile

In the case where you need to redo the Two Factor authentication for a specific user profile (i.e. lost access to the code via your authenticator app) you can reset the process via PayGlobal.

In PayGlobal navigate to Administration > Security > User Profiles and open the record of the User Profile.
Navigate to the Self-Service tab and select the ‘Reset’ button next to the ‘Two Factor Authentication’ field (ensure you are in Edit mode). This will change the state from ‘Registered’ to ‘Unregistered’.
Save and Close the record. The next time the user attempts to log into ESS Admin, they will be prompted to setup 2FA again for the first time.

Other items to note

Issuer Field in Config Editor/payglobal.config

There is a new field added to the Config Editor/payglobal.config under ‘Security Settings’ labelled ‘Issuer for Two Factor Authentication’. This is used by some authenticator apps to differentiate different MFA codes stored within the application. By default, this is set to ‘PayGlobal Self-Service' however this can be changed to whatever suits the client.
For example: Google Auth shows "<Issuer> (<User>)" as a label; you can only change the User part within the Google Auth application.
If, in our example, the issuer was left as the default, and the user in question was 'SUPER’, then the app would display “PayGlobal Self-Service (SUPER)”.

Old PayGlobal version and new ESS version

For versions of PayGlobal prior to 4.39 that are using ESS 5.4.2, users will still need to navigate to the new Admin page, however they will be required to log in using the old method (i.e. the admin credentials located in the Config Editor/payglobal.config).

New Help Keys for 2FA Forms

With the introduction of 2FA for the ESS Administrator, the following help keys are now valid for creating the following tooltips and help hints:

AdminLoginForm.username
AdminLoginForm.password
AdminLoginHint
RegistrationForm.authenticationcode
RegistrationHint
ValidationForm.authenticationcode
ValidationHint
AdminChangePasswordHint

These are now part of the BaseConfig (specifically the HelpKeys config), however you may wish to configure these help keys manually under User Interface > Help.