Two-Factor Authentication (2FA)
      Back to home
      1. Checkwriters Knowledge Base
      2. Company Setup
      3. Two-Factor Authentication (2FA)

      Two-Factor Monitoring for Admins (2FA)

      “Admin” users can monitor the status of their employees' Two-Factor Authentication and initiate 2FA overrides.

      What is Two-Factor Authentication (2FA)?
      Monitor 2FA Enrollment
      Override 2FA
        - Levels of Override
            - Security Questions
            - Full Two Factor Bypass
        - After 2FA Override

      What is Two-Factor Authentication (2FA)?

      Two-factor authentication (2FA) is a security measure that requires you to provide two forms of identification to log in. 2FA helps safeguard private information and keep you, your company, and your data safe.

      Best Practice: Users should enroll in multiple 2FA options (for example, Phone AND Authenticator App) to always have a backup option when logging in.

      More Info: Learn more about how to individually Enroll in 2FA and how to Manage Your 2FA Enrollment.

      Monitor 2FA Enrollment

      Users with monitoring access can view the status of and methods used in Two-Factor Authentication. “Admin” users have the additional ability to initiate overrides as needed. Navigate to HR Admin → Security Control Center → Two Factor Monitoring.

      A screenshot of the Two Factor Monitoring page.

      The Two Factor Monitoring page displays several columns of information. This information is automatically sorted alphabetically by employee last name. You can click on any column title to sort by that column.

      • Emp ID: Employee ID number.

      • Name: Displays users' names, organized by last name followed by first name and middle initial.

      • Role Code: Displays user roles. This role determines what permissions the employee is set up with.

      • Status: The status of an employee’s 2FA settings. This will show either Enabled or Disabled.

        • Enabled: The user has at least one form of 2FA enabled.

        • Disabled: The user has not yet logged in to enable 2FA

      • Fob: Indicates whether an employee has Fob 2FA enabled.

      • Phone: Indicates whether an employee has Phone 2FA enabled.

      • App: Indicates whether an employee has Authenticator 2FA enabled.

      • Override Status: “Admin” users can Override an enabled 2FA as needed to allow a user to log in without 2FA verification.

      Override 2FA

      The override function allows “Admin” users to override 2FA if a user is unable to log in using 2FA. This may happen if a user cannot access their phone or Fob Key but still needs to log in.

      Best Practice: To maintain security measures, verify the identity of the user requesting the override before completing the 2FA override. This should be done over the phone or in person.

      When you (an “Admin” user) select Override on an employee’s 2FA, the Security Override confirmation will appear. You must log a reason for the override using the Note field. Select Save to confirm the override.

      A screenshot of the Security Override confirmation. There is a note which reads "Verified user in person. User left their phone at home."

      Best Practice: In the Note field, include how you verified the user’s identity and why the override was needed.

      Levels of Override

      There are two different levels of 2FA override available.

      Security Questions

      • The first level of override.

      • After saving the Security Override note, this override will be applied. The next time the user logs in, they will be prompted to answer security questions before accessing their Checkwriters account. These are based on the questions and answers the user chose when registering their Checkwriters account.

      • The Override Status on the Two Factor Monitoring page will display as “Security Questions” until the user logs in and 2FA is re-enabled.

      A screenshot of the Override Status column, highlighting a line that says "Security Questions".

       

      Full Two Factor Bypass

      • The second level of override.

      • If the security questions are not working for the user, you can initiate a full 2FA override, bypassing both 2FA and Security Questions.

      Best Practice: Verify the requesting user’s identity over the phone or in person again.

      • To initiate a full bypass, select Override on an employee’s 2FA again. Complete the Security Override confirmation and select Save.

      • The Override Status on the Two Factor Monitoring page will display as “Bypass Two Factor” until the user logs in and 2FA is re-enabled.

      A screenshot of the Override Status column, highlighting a line that says "Bypass Two Factor". 

      After 2FA Override

      After the user successfully logs in, 2FA will be automatically re-enabled. If a full bypass was needed, we suggest the user update their security questions. To do this, they can select the company name at the top of any Checkwriters page, then select Change Security Questions.