IT Hub

Secure Sensitive Data with MFA in Workday

Reco Security Experts
June 11, 2024
July 15, 2024

Secure Sensitive Data with Multi-Factor Authentication (MFA) in Workday

In today's digital landscape, protecting sensitive data within cloud-based platforms like Workday is paramount. As more organizations leverage these platforms for critical HR and financial information, robust security measures become imperative. MFA emerges as a powerful solution, bolstering security beyond traditional password protection.

Enhanced Security Posture with MFA

MFA implements a two-step verification process. While usernames and passwords remain the initial access point, MFA introduces a secondary authentication factor, significantly strengthening the overall security posture. This additional layer can take various forms, including:

  • Authenticator Apps: Widespread options like Google Authenticator or Microsoft Authenticator generate unique codes on your smartphone for login verification.
  • SMS Verification: Certain organizations may offer SMS verification, sending a temporary code via text message to your registered phone number.
  • Biometric Authentication: Fingerprint or facial recognition capabilities on specific devices offer a convenient and secure verification method.

Configuration Steps for MFA Setup

Step#1: Choosing the Right Authentication Methods

The initial step in this process is to choose which authentication techniques to use. Whereas Workday provides various methods, including:

  • Authenticator App
  • Backup Code (Optional)
  • One Time Passcode - Email
  • One-Time Passcode - SMS

Reflecting on the various methods of MFA is like examining a toolbox filled with different tools to secure your digital world. Each method serves a unique purpose, offering its own blend of security and convenience. 

Pro Tip

For distinct user groups, you can activate various forms of MFA:

  • To protect your worldwide workforce's accounts from phishing assaults, consider implementing MFA, such as one-time passcode MFA, via SMS, email, and the authenticator app.
  • Use SMS one-time passcode MFA to protect user accounts for people who usually own a basic cell phone.
  • Challenge questions can be used to protect user accounts that are inaccessible to other forms of MFA. Field employees in developing nations are one example.

Step#2: Configure Your Security and Tenant Configuration

i. Security Access Configuration

Before enabling MFA in a Workday tenant, there's a crucial prerequisite: ensuring users have the necessary security access to relevant domains for the task and any additional actions.

Here's a breakdown of this prerequisite:

Relevant Domains

Depending on the chosen MFA method (e.g., SMS verification, authenticator app integration), access to specific Workday domains might be required. The following domains house the settings and configurations related to that particular MFA method.

Domains Scope
Manage Innovation Services in the Innovation Services functional area Allow users to set up SMS one-time passcode MFA that uses Twilio for delivery of SMS OTPs.
Self-Service: Work Phone
Self-Service: Home Contact
Permit users to select or change their phone number to receive SMS one-time passcodes.
Set Up: Contact Info, IDs, and Personal Data Enable users to configure the mobile device type for use with SMS one-time passcode MFA.
Set Up: Tenant Setup - Global in the System functional area. Enable users to configure the phone number format for use with SMS one-time passcode MFA.
Set Up: Tenant Setup - Security Enable users to:
• Add MFA providers to the tenant.
• Define authentication policies to specify MFA on username, password, SAML, and OpenID Connect authentication types.
Workday Accounts
Workday Account Monitoring
Enable users to view sign-in messages related to MFA.

Pro Tip

The Signons and Attempted Signons report is a powerful tool for monitoring user access and MFA usage within your Workday environment. By leveraging this information, you can ensure a more secure login environment and potentially improve MFA adoption rates.

ii. Tenant Configuration

Prerequisite: After getting security access, you must set up MFA providers in the tenant before you can specify them on authentication policies except for challenge questions.

Set Up MFA Providers 

  1. Access the Edit Tenant Setup - Security task.
  2. On the MFA Providers grid, click Add MFA Provider and enable any of these authentication providers to the tenant according to your requirement:
    • Authenticator App
    • Backup Code (Optional)
    • One Time Passcode – Email
    • One Time Passcode - SMS

Set Up Different Configuration of MFA for Individual Workday Accounts (Optional)

Pro Tip

IT Admins can use Workday's MFA management features, such as exemptions, grace periods, and policy resets, by configuring edit Workday account tasks for individual users. This allows you to achieve a balance between security and user experience. Remember, a well-managed MFA implementation strengthens your Workday security posture without creating unnecessary hurdles for legitimate users.

Set Up Authentication Rules

After enabling the provider/providers, the user must create authentication rules. Workday uses these authentication rules to establish the prerequisites for sign-in for various user groups, which are defined by the security groups to which the users are assigned. You can have many authentication rules in your authentication policy. 


1. Navigate to the Manage Authentication Policies report and edit the authentication policy to which you want to add your authentication rules.

2. To create a new blank authentication rule, click the addition (+) symbol located in the leftmost column of the Authentication Ruleset grid. One blank authentication condition is automatically included in a new authentication rule.

3. Name the rule by entering its name in the Authentication Rule Name field. 

4. Choose which unconstrained security groups you want the rule to apply to in the Security Group box.

5. Name the authentication condition by entering its name in the Authentication Condition Name field. The remaining columns' fields apply to this authentication requirement.

6. In the Authentication Conditions column, select a condition under which members of the selected security groups can access Workday: 

  • To enable members of security groups to access Workday, be precise by creating or choosing particular networks or IP ranges. 
  • The ability for members of security groups to access Workday from any network, with the exception of any additional constraints. These two choices also depend on the choices you make in other authentication criteria you design for the rule.

7. Choose the first authentication type that satisfies the set authentication criterion under the Allowed Authentication Types column. 

  • Username Password
  • SAML
  • OpenID Connect

For MFA, choose any of the following:

  • Authenticator App as a second authentication factor.
  • Backup Codes (Optional) as a second authentication factor.
  • One-Time Passcode – Email as a second authentication factor.
  • One Time Passcode – SMS as a second authentication factor.

Note: Workday automatically selects any, which means that users meeting the authentication condition can sign in to Workday using any available authentication type. To restrict access, select “None” to block access using all available authentication types, or select Specific and configure at least one authentication type.

8. After adding all the necessary authentication requirements to the rule, arrange them in the order you want Workday to analyze them.


Workday automatically prompts users when they sign in using any MFA method. Workday shows the backup codes at the conclusion of the setup process if you choose to use them as an authentication factor. Workday advises you to give your users instructions on how to capture and safely preserve their backup codes. For one-time passcode emails, Workday automatically prompts users to verify the email address to which Workday will send one-time passcodes the first time they sign in. For the one-time passcode SMS, when users log in, Workday prompts them to set up an SMS one-time passcode automatically. Users pick a cell provider during setup. They also choose the cell phone number that Workday will use to text them one-time passcodes via SMS from a list of numbers.


In summary, using MFA to secure sensitive data in Workday is a proactive way to reduce security threats and protect important data. Organizations may strengthen their defenses, adhere to legal requirements, and give staff members a safe environment in which to access and handle sensitive data by implementing MFA. Investing in strong security measures such as MFA is not only necessary but also strategically vital for enterprises that aim to protect their digital assets and uphold stakeholder confidence, given the ongoing evolution of cyber threats.

Explore More
See more articles from our Hub