Protecting account access
UKG is enhancing password requirements for all UKG solutions and requiring mandatory multifactor authentication (MFA) on all user accounts. The most common cyberattacks often involve a cybercriminal obtaining a user’s credentials to gain access to privileged accounts and sensitive data. Our enhanced password and MFA requirements are designed to protect against that occurring and provide users with a more secure experience.
Helping you prepare for change
To help you prepare for these changes, and when and how they may impact your organization, we’ve created the following resources to answer common questions and to guide you through the steps for success.
What is multifactor authentication (MFA)?
It’s likely you’re already relying on MFA while logging in to other applications you routinely use, such as your online banking apps, social media, online shopping, and more.
MFA is a security protocol that requires more than one method of authentication to verify a user’s identity. For example, MFA requires something you know (like your login credentials) plus something you have (like a unique token or one-time identification code) prior to granting access. The goal of MFA is to create additional layers of validation to prevent unauthorized users from accessing important information. Think of MFA as an extra lock on your door. You have security with the first lock (password), but the second lock (MFA) provides that extra level of security.
MFA is a valuable security tool. Paired with your organization’s own security protocols and IT policies, MFA protects an individual end-user from unauthorized account access in the event their username or password is stolen or compromised.
Note: If you are a UKG Telestaff or UKG Workforce Central customer and host the solution within your organization (on-premise), both the MFA and password requirements do not apply to you.
My organization uses Single Sign-On (SSO). Do these updates impact me?
No. If your organization is using SSO, these enhancements will not impact you. However, we strongly encourage you to configure MFA as part of your SSO solution. If you have a mix of employees who log in using SSO and others who do not, only the non-SSO users will be required to use MFA.
What are the minimum requirements for the new passwords and MFA?
Please closely review the MFA and password requirements on this page for specific guidelines that might apply to your specific role and/or UKG solution.
What is the start date for my organization to start complying with these changes?
Both the password and MFA policies will be enforced by UKG. The exact date by which you must comply with these changes will be communicated to your release readiness process. Keep in mind, the release schedule you will follow for these updates will be your first point of access to UKG, your “front door.”
Would I be able to modify the password policy and or create different password policies for different users?
Yes, so long as the minimum requirements outlined by UKG are maintained.
Note: If you are using UKG Pro® as your main point of solution access, then you will only be able to modify the minimum and maximum password length for your organization, as long as it falls within the outlined requirements.
What forms of MFA can my organization use?
Today, UKG users can authenticate their identity within their UKG solution via text, email, authenticator app (soft token), or voice using any phone number or email address. Once the updates are applied to your UKG solution you can offer your employees the following option to authenticate.
Note: The availability of each authentication option(s) may vary by solution, so please review the solution-specific information below.
If your organization uses more than one UKG solution, the MFA approach used to access your UKG solutions will be based on how you login to UKG (i.e., the “front door”). For example, if a user signs into UKG Pro to access their UKG Pro Workforce Management solution (or UKG Pro Time and Scheduling), then the user will use the MFA options for UKG Pro.
| Solution | MFA Option(s) |
|---|---|
| UKG Dimensions® | Email, text (opt-in), authenticator app |
| All UKG Pro® solutions | Email, text, voice |
| UKG Pro Workforce Management® | Email, text, voice |
| UKG Pro Time and Scheduling® | Email, text, voice |
| UKG Ready® | Email, text, voice, authenticator app |
| UKG TeleStaff™ | Authenticator app and email |
| UKG Workforce Central on the Kronos Private Cloud | Authenticator app and email |
| EverythingBenefits | Google Authenticator™ |
Do I need to do anything about my data collection devices (non-mobile)?
Please refer to our Knowledgebase article for more information on data collection.
Note: You will need to be logged into the UKG Kronos Community to access this information.
What are the new requirements?
Password Requirements
| Minimum length | 15 characters |
| Maximum length | 64 characters |
| First login | Within 30 days |
| Complexity | Any three-character sets (uppercase, lowercase, number, symbols) |
| Maximum password age | 180 days |
| Minimum password age | One day |
| Old passwords | Cannot be reused |
| Ability to change password | Once per day |
| Account lockout | Accounts will be locked out/restricted for 30 minutes after five consecutive unsuccessful attempts. Disclaimers: If you are using UKG Telestaff then lockout will occur after three consecutive attempts. If you are using UKG Pro additional information will be found in your release notes which will be available during your rollout dates. |
| Account cancellation | After 60 days of inactivity |
| Change password (forgot password) | Yes |
| Repetitive characters | Four |
Why are we required to use 15-Characters?
Most users do not like long passwords and the longer the password the better. At UKG, we promote the use of password manager tools to assist in generating complex passwords so that they are stored in a safe location.
MFA Requirements
| Am I required to use MFA? | Yes |
| How often do I need to authenticate using MFA? | Every seven days per device Example: If you authenticate on your desktop, then your MFA would be valid for the next seven days. However, if the next day you use the mobile app, you would need to authenticate again, but your MFA would then be valid for the next seven days. |
| Account lockout | Accounts will be locked out for 30 minutes after five consecutive unsuccessful attempts, and you will need to contact a fellow administrator or contact UKG Global Support to reset the password. Note: If you are using UKG Telestaff, lockout will occur after three consecutive attempts. |
Which devices will be required to use MFA?
You will be required to use MFA on all devices connected to your UKG solution (including mobile devices), except for InTouch devices, Kiosk mode, and Time Stamp (web punch). Please closely review the solution- and role-specific MFA requirements on this page to find the requirements that might apply to your specific role and/or UKG solution.
When will my organization be required to comply with these password and MFA requirements?
All new customers are required to comply with these requirements upon go-live. If you are a new customer and have questions about this, please reach out to your project manager.
If you were live on UKG Pro, UKG Dimensions, UKG Ready®, or Workforce Central® prior to Fall 2022, you will receive email notification of the exact date by which you must comply with these requirements. While subject to change, UKG is targeting the following release dates for these changes:
| Solution | Release Dates |
|---|---|
| UKG Dimensions | April 2023 to May 2023 |
| UKG Pro, UKG Pro Workforce Management, UKG Pro Time and Scheduling | March 2023 to June 2023 |
| UKG Ready | February 2023 to April 2023. Rollouts will depend on where your UKG solution resides (on-premise or in the cloud). Please refer to the UKG Ready Release Readiness page for more information. |
| UKG Workforce Central | If you are planning to migrate from UKG Workforce Central within the Kronos Public Cloud to another UKG solution (e.g., UKG Ready, UKG Dimensions), please view additional details on your plans for MFA and password policy implementation. |
| UKG TeleStaff | MFA is available for customers on version 7.5.4 and the password requirements are mandatory. Once migrated to the Google Cloud Platform Service, both MFA and the password enhancements are mandatory. |
| UKG Workforce Central | April to December 2023 |
| EverythingBenefits | March 2023 |
Our organization uses only HR Service Delivery (HRSD). Are we impacted?
If you are an HR Service Delivery (HRSD) customer, your solution is not impacted by the MFA and password requirements at this time.
We are an on-premise customer using UKG Central and/or UKG Telestaff. Do we need to comply with these changes?
If you host your UKG solution on-premise you do not need to comply with these changes at this time.
Where can I find additional details on how to enable MFA and these new password standards?
Coming soon: Specific rollout dates for your UKG solution, solution-specific how-to material, and communication kits to support the employee rollout of these new requirements will be provided as part of your release readiness pages via the UKG Community.
If you use UKG Pro as your front door, please visit the UKG Ultimate Community and UKG Kronos Community if you are using UKG Dimensions or UKG Ready. Note: you will need to log into the UKG Community to access this information.
Remember, data security is everyone’s responsibility
Securing your data is a top priority for us at UKG. It’s all part of how we also secure your trust as a partner for life. Please watch your email and revisit this page often for additional updates on this important initiative.