MFA guide for Controllers

This guide is aimed at Controllers to enable them to successfully manage multi-factor authentication (MFA) on their myhrtoolkit account.

How to configure your account

Our MFA is simple to setup and manage on your account. It is designed to be configured by individual users, requiring minimal input from account Controllers.

All users can see the "Multi-factor authentication" link in the Account menu. Full details: Enabling MFA for my account.

If a user needs to temporarily remove or reset MFA on their account, they can do this by following our guide on Disabling MFA for my account.


Managing employee MFA setup

Myhrtoolkit Controllers can see a list of all users and their MFA status via the Manage Live Users section of the Security Centre (Config > Security Centre). The MFA filter at the top of the table allows you to show users who are:

  • Enabled: These users have successfully configured MFA for their account.
  • Disabled: These users have not yet configured MFA for their account, or have disabled it.


Reminding users to enable MFA

In Security Centre (Config > Security Centre) you will find our "Multi-factor authentication reminder" widget. This simple widget allows you to send a reminder email to all users on your account yet to enable MFA.


Disabling MFA for users

There are times when you may need to disable MFA for users, such as when an authenticator device is lost or stolen and their is no access to recovery codes.

Controllers are able to disable MFA for individual users from the Manage Live Users panel in Security Centre. For users with MFA enabled, the Actions dropdown menu will include a link to "Disable MFA". After re-authenticating, the user's MFA will be disabled and they will be notified via email.


Audit logs

Any action to enable or disable MFA, or usage of a recovery code is logged. This log is visible to Controllers in the Security Centre Audit Log.