1. Support Center
  2. General
  3. General FAQs

Avionté MFA FAQ

Updated

Multi-factor authentication (MFA) is an authentication method that requires the user to provide two forms of identity verification before logging in: what the user knows, such as a password, and what the user has, such as a smartphone, cell or landline phone, or email.

Key Takeaways

  • Learn what MFA is and how it's used
  • How to log in using MFA
  • Alerting staff and talent to new MFA
  • How the Talent MFA Opt-In setting works
  • Requesting MFA for your environment

For directions to log in to AviontéBOLD with MFA, see Log in to AviontéBOLD with MFA.

On This Page

What is MFA?
What is Single-Sign-On (SSO)?
MFA for Login vs. MFA for Email
Why is MFA important?
What user types can I enable MFA for?
Is MFA required?
Does talent need to use MFA?
What MFA methods are supported?
Will I need a code every login?
Kiosks and shared computers
Do employees need a smartphone?
Should I alert my staff?
Lost device or email
What is the timeout?
Impact for custom logins
How can I request MFA?
Self-hosted customers

What is MFA?

Multi-factor authentication (MFA) requires two forms of identity verification before granting access: what the user knows (a password) and what the user has (a smartphone, phone, or email). MFA is not the same as Single-Sign-On (SSO) — it does not connect authentication between multiple applications.

MFA is sometimes also referred to as Two-Factor Authentication (2FA). It is a response to increased demand for higher security within and across organizations.

What is Single-Sign-On (SSO)?

Single-Sign-On is an authentication method that allows users to sign in using one set of credentials to access multiple independent participating applications. With SSO, users can access all needed applications without signing in to each one separately.

What is the difference between MFA for login and MFA for email?

The MFA functionality covered in this article applies to logging in to AviontéBOLD. It is not related to email MFA.

Why is MFA important?

Passwords alone are no longer sufficient. From credential spraying and phishing attacks to more sophisticated threats like spear-phishing and pharming, hackers have developed many methods of gaining unauthorized access. Microsoft engineers have reported that 99.9% of account compromise incidents they handle could have been blocked with MFA.

Additionally, many cyber insurance policies require MFA to be enabled for internal systems at a minimum.

What user types can I enable MFA for?

  • HCM Users — Subscribed Avionté users
  • Talent — Talent/Applicants
  • Managers — Time approvers

MFA can be configured for any combination of these user types, or all of them.

Am I required by Avionté to enable MFA?

No, not at this time. However, enabling MFA for HCM users is recommended as a best practice. This feature is currently only available in AviontéBOLD.

Does my talent need to complete MFA when they log in?

It depends on how your organization has configured MFA for talent. There are two settings that control this behavior:

  • Talent User MFA (enforced): When enabled, all talent users are required to complete MFA at login. This is the existing enforcement option.
  • Talent MFA Opt-In: When enabled, talent users are prompted to enroll in MFA at each login, but can choose to skip. Talent who do not enroll lose access to sensitive areas of the talent portal, including Direct Deposit information, Personal information, Pay History, Documents, and Tax information and forms. The prompt appears at every login until the talent user enrolls.

If neither setting is enabled, MFA for talent is not active and talent users log in without an MFA requirement.

Note: HCM administrators with the MFA Admin user permission can un-enroll a talent user from MFA by toggling off the MFA Opted-In toggle on the talent's profile. All MFA enrollment and un-enrollment actions are logged as talent activities and in the audit log.

For full setup and usage details, see Log in to AviontéBOLD with MFA.

 

What are the various methods of MFA?

Text message and email MFA codes are currently supported at the time of login for HCM users. Talent users enrolling through the Talent MFA Opt-In setting can receive their verification code via text message or voice call.

Will I have to enter a code each time I log in?

BOLD MFA can remember a device for up to 30 days. After the first authentication, a new code is only required if the user forgets their password or after 30 days have passed. This works similarly to Microsoft Office, Google Workspace, Amazon, and other platforms.

MFA for Classic does not have this option — authenticated users must enter a code every time they log in.

How will this work for kiosks or shared computers?

The best practice for shared computers is to log out rather than simply closing the page. Additional browser settings that clear known devices and authentications are also recommended. Users are automatically logged out when they close their browser window, which protects their account if another user attempts to access it.

Will my employees need to use a smartphone?

No. While text messages are the primary MFA method, voice calls and email are also supported. The voice call option works with landlines — the system will audibly read a code to the receiver. The email option sends authentication codes to the user's email address.

Should I alert my staff?

Yes, if you decide to activate MFA for your organization. It is your responsibility to educate your staff on how their login experience will change. The article Log in to AviontéBOLD with MFA is a helpful resource to share.

In particular, staff should know that the login screen will change for all users once MFA is activated — regardless of whether that user type is part of the MFA protocol. Here is a screenshot of the updated login screen:

AviontéBOLD login screen with MFA enabled

What occurs when a user loses their device or email associated with MFA?

Create a Zendesk support ticket with "Reset MFA method" in the subject line and contact the Avionté support team to reset the user's MFA. A new phone number or email address will be required if MFA was previously enabled on the lost device or account.

For instructions on creating a support ticket: Create and View tickets with AVI in BOLD

What is the timeout?

MFA codes expire after 5 minutes. If a code times out, a new one can be requested. See Log in to AviontéBOLD with MFA for further instructions.

What is the impact for clients using custom logins?

Custom branding is currently not available when MFA is activated. A solution that preserves custom branding after MFA activation is in development.

How can I request MFA?

The process depends on which MFA configuration you need:

  • Talent MFA Opt-In: Contact Avionté to have this setting enabled for your environment.
  • All other MFA configurations (HCM Users, Managers, enforced Talent MFA): Create a Zendesk ticket with the subject "MFA Activation" and include the role(s) you would like MFA activated for (All, HCM Users, Managers, Talent) and the date you would like the service activated, if you need more than the standard 2-day turnaround.

For instructions on creating a ticket: Create and View tickets with AVI in BOLD

What about self-hosted customers?

Avionté MFA is not available for self-hosted customers. Self-hosted customers who want MFA can implement their own solution, as they own and manage their enterprise infrastructure.

 

Articles in this section

See more
Was this article helpful?
1 out of 1 found this helpful
Share

Comments

0 comments

Please sign in to leave a comment.