You are dealing with very sensitive data, and while we take data security very seriously, we want to provide you with options for extra protection. In addition to your regular password you can also enable mobile token security. Just enter your mobile phone number into SI, and whenever your SI account is accessed from a new device, you'll be asked for a token that is delivered to your phone.
2-Step verification is a standard mechanism for securing access to vital systems. You can secure your Twitter account, your blog, and of course PayPal and your online banking with your phone. Even if a hacker steals your password, they won't be able to log in from their computers, because each new device requires access to the SMS token.
But pure SMS tokens may not work if you're in a remote area, or outside the country. So we're integrating with a service called Authy, which turns your phone into a secure token generator as well. Just download a mobile app for iOS or for Android, and you can create tokens without mobile reception. We use it all the time at the Small Improvements Berlin headquarters, it works just great!
End user screens
Here's what it looks like to a user who just had 2-step verification enabled (either by HR, or by themselves). After entering the regular username and password, the user is prompted to enter a mobile phone number:
Once entered, the next screen asks for a mobile token. This can get delivered by SMS, or by installing the app Authy and having the code generated by the app. Once entered, the user is logged in. The device is now remembered, so the user doesn't need to enter the code again for 30 days.
Every new device or browser however needs to get authorized again. And this is exactly what keeps hackers out: They might have gotten access to a user's password (even by breaking in into another service which the employee was using the same password for), but since they don't have an authorized device, they will get stopped at the mobile code screen.
The best way to test 2-Step verification is to try it out on one sample user account, just so you get a feeling for using the option. Simply navigate to any user's profile in the directory list (for instance one user you just created for testing purposes), and enable the 2-step-verification there:
And you can enable 2-step verification on the user profile as well:
Once that works, our recommended rollout option is to enforce it for all admin accounts. Just navigate to the "security" section of your administration overview, and enable 2-step verification there. Once you save, it is active instantly: HR Admins will get prompted to enter your phone number, and we'll send you a token to ensure you got the phone number right, and your device is authorized. Here is a visualization on where you can find the the set-up:
By enforcing 2 Step verification for all admin and HR staff, this applies to future HR people as well, without having to enable 2-step for them manually. The moment they get the HR permission, the SMS or App token becomes mandatory.
In addition, you could enforce it for key employee's accounts as well. At any point you can enable 2-Step verification for those key people one by one- Just locate them in the user directory and use the admin menu as shown above.
And lastly, you can also allow everyone to use 2-step verification if they like. This is also done within the security section of the admin overview, just below where you can enforce those with HR privlages to use Authy.