The key pillars of an application security strategy to overcome the unprecedented challenges you may be facing include:
- Authentication—defining who can access systems
- Authorization—defining how users can access systems
- Access Control—defining what users can do after accessing
- Auditing—verifying users are doing what they are expected throughout the process
To achieve a solid security foundation in Workday, security administrators should review their Workday authentication policy to confirm which groups and networks are currently supported and identify any opportunities to extend the Workday Authentication Policy.
Security admins should also review attempted sign-ons into the system to determine if there are potential gaps or challenges that employees are facing as they attempt to access outside of their usual access methods. Additionally, security administrators should consider opening up Workday’s additional security features such as Security Emails, Trusted Device, and Multi-factor Authentication (MFA) solutions.
Authentication policies
Authentication policies determine how users can access your Workday tenant either by blocking networks or establishing setup rules that determine how users sign-in. Workday’s authentication policy allows you to define for each security group which IP addresses they are expected to access and what authentication methods are allowed to access the Workday tenant.
Key Supported Authentication Methods
Authentication Method |
Type |
Consideration |
Username and Password |
Workday Native |
Can support self-service password resets |
SAML for SSO |
Federated |
Most common protocol for SSO solutions |
OpenID Connect |
Federated |
Use Google to authenticate users into Workday |
Supported Multi-factor Authentication Factors
MFA Option |
Relative Effort |
Consideration |
Challenge Questions |
Medium |
Not exactly a second factor, but is intuitive enough for users to setup and use in Workday |
SMS One-time Passcode |
High |
Requires setup and user phone data |
Email One-time Passcode |
Low |
Requires security emails to be enabled |
Authenticator App |
Low |
Uses industry standard (TOTP) that is widely supported by available authenticator apps |
Note: As of Workday 2020 R1, MFA solutions are available on Federated authentication methods.
Access restrictions
In addition to controlling how an employee signs into Workday, you may also leverage Access Restrictions to control what users can do after they’ve signed in. The access restriction is applied based on the authentication rule configured, so it can be used to allow regular access while on a known trusted network and restrict to self-service when off-network.
This feature is great for people with elevated permissions to allow them to access self-service while restricting sensitive administrative activity.
Some examples of the possible restrictions include:
-
Sensitive information (whether it needs to be viewed and/or transacted upon)
-
Certain transactions, such as payment elections or tax elections where the unmasked
-
Social Security Number (SSN) is viewable
-
Phone numbers, addresses, dependents and beneficiaries
-
Any non-applicable data and transactions for former employees or other groups of employees
Access from personal or mobile devices
Employees may require flexibility to access the system from multiple devices from day to day. The policy designed should permit Workday for mobile. The ability to use the Workday mobile app is controllable via Domain Policies for Workday’s Android and iOS apps.
Workday approaches security with a ‘unified’ model and applies it across all platforms. It is completely independent of device types, so the user will be consistently granted or denied access to functionality regardless of which type of device they are on. Since access is provided based on this security policy, it is consistent across all platforms, including desktop. Some tasks might not be available on the mobile app per the List Task Available on Mobile report.
Access to Workday’s mobile application can be restricted for a user when they log in outside of a whitelisted network. This restriction will apply to all devices; access cannot be limited by device type (i.e. Workday mobile app or desktop off-network.)
Additionally, Workday provides the ability to leverage your organization’s Mobile Device Management (MDM) solution to apply more granular authentication rules within the authentication policy.
For more information on Workday for Mobile, check out our article here.
Other security items for review
Workday provides additional security features related to the behavior of the tenant that aid in refining the experience and providing granular control over security features. These include:
- Using activity audit reports to better understand user behaviors
- Enabling an authenticator selector to provide specific sign-on experiences
- Allowing security emails to be generated when users login from new devices
See below for more details on other security items.
Auditing Sign-ons and Attempted sign-ons
The Sign-Ons and Attempted Sign-Ons is a Workday-delivered report that provides key details on user access attempts. This report provides a very detailed snapshot of the time, source IP address of the user, what authentication method they tried, what (if any) problems occurred during the sign-on and what access restrictions were applied to the successful sign-on.
This report can be further customized by copying it and updating it. Additionally, for report writers, the sign-on details are available through the Workday Account business object, enabling them to report at the worker-level to analyze sign-ons across the organization, explore the last time they signed in and from where.
Workday also offers the ability to view detailed audits in the system, providing deeper insights into user activity through the View User Activity report.
Tenant Setup - Security
The Tenant Setup – Security page defines a broad array of options related to security, including the configuration for self-service Password Resets as well as authentication methods SAML, OpenID Connect and Multi-Factor Authentication.
Security Item |
Description |
Enable Security Emails |
Allows notifications to be generated when account security changes are made, notifying users to their work or home email. |
Enable Forgotten Password Reset |
Provides the ability for users to reset their password with Challenge Questions or by a one-time-use link emailed to their work or home email. |
Login Redirect and Authentication Selector |
Provides the ability for organizations to offer different routes and methods. This is often used to support diverse user populations that have varying authentication methods. |
Mobile Authentication |
Enables use of biometric and mobile PIN on the mobile app for greater convenience of the user when accessing from the Workday mobile apps. |
Trusted Device |
Enables the ability for employees to designate a device as trusted. Whenever a new “untrusted” device signs in for a given user, the user will receive a notification indicating a new device has signed in. |
Multi-factor Authentication Settings |
Settings to designate the supported MFA solutions that can be combined with native authentication as well as federated (SSO) authentication. |
Workday's authentication recommendations
Whether employees use your company’s SSO or Workday’s native credentials, Workday recommends all clients use a Multi-factor Authentication approach across the board.
From a design perspective, Workday encourages that the rules are designed to be evaluated in decreasing levels of restriction with a default rule to apply to any user not falling in the other defined rules. The default rule helps ensure that a minimum company-wide restriction is in place for any users not falling into any rules defined for specific security groups.
Please find additional Workday Community resources here:
Alight's POV
In the face of these unprecedented conditions, we recommend the following:
-
Familiarize yourself with the Attempted and Attempted Sign-ons report and perform analysis to understand failed sign-ons by users as well as attempted sign-ons from potentially malicious sources.
-
Every user should be subject to a Multi-factor Authentication (MFA) solution or, at minimum, IP-restricted to harden access methods.
-
If your organization does not have an MFA solution applied, we recommend using Workday’s Authenticator App as the MFA due to ease of setup and use for the users compared to all other MFA methods.
-
We recommend enabling security emails to ensure users are notified of relevant security notifications from Workday regarding their account.
- Employees now have even more of a need to review their information online and receive the latest information from their organization. Leveraging access restrictions will help enable self-service while limiting access to sensitive tasks. You may also consider using Workday’s “Stepped Up Authentication” feature to satisfy stricter information security requirements related to forcing re-authentication if a user attempts to access protected data or tasks within the Workday system.
The recommendations below highlight some configuration approaches in the Workday Authentication Policy:
On/Off network recommendations
Access Restrictions (These recommendations apply to all device types)
User |
Allow only On Network |
Allow on Both On/Off Network |
Comments |
Employees |
Export to PDF/Excel
Check In/Out
Inbox Approval
Payment Elections |
Attachment Download (Limited)
Inbox Complete Actions/To Dos |
Unless Multi-factor Authentication is in place, Payment Elections should only be allowed to change when on corporate network.
Check In/Out should not have Off Network access unless there is specific business reason. |
Manager |
Attachment Download (Limited)
Check In/Out
Export to PDF/Excel
Payment Elections |
Inbox Approval
Inbox Complete Actions/To Dos |
Manager should not be allowed to download data related to employees that they support. |
Administrators |
Attachment Download (Limited)
Check In/Out
Export to PDF/Excel
Inbox Approval
Inbox Complete Actions/To Dos
Payment Elections |
|
Administrators, HR roles should not have Off Network access unless there is specific business reason. |