You are dealing with very sensitive data, and while we take data security very seriously, we want to provide you with options for extra protection. In addition to your regular password you can also enable mobile token security. Just enter your mobile phone number into SI, and whenever your SI account is accessed from a new device, you'll be asked for a token that is delivered to your phone.
Article Quick Links
About 2-Step Verification
2-Step Verification is a standard mechanism for securing access to vital systems. You can secure your Twitter account, your blog, and of course PayPal and your online banking with your phone. Even if a hacker steals your password, they won't be able to log in from their computers, because each new device requires access to the SMS token.
But pure SMS tokens may not work if you're in a remote area, or outside the country. So we're integrating with a service called Authy, which turns your phone into a secure token generator as well. Just download a mobile app for iOS or for Android, and you can create tokens without mobile reception. We use it all the time at the Small Improvements Berlin headquarters, it works just great!
Here's what it looks like to a user who just had 2-Step Verification enabled (either by HR, or by themselves). After entering the regular username and password, the user is prompted to enter a mobile phone number. One thing to note - a user will have to logout first to see the message below.
Once entered, the next screen asks for a mobile token. This can get delivered by SMS, or by installing the app Authy and having the code generated by the app. Once entered, the user is logged in. The device is now remembered, so the user doesn't need to enter the code again for 30 days.
Every new device or browser however needs to get authorized again. And this is exactly what keeps hackers out: They might have gotten access to a user's password (even by breaking in into another service which the employee was using the same password for), but since they don't have an authorized device, they will get stopped at the mobile code screen.
The best way to test 2-Step Verification is to try it out on one sample user account, just so you get a feeling for using the option. Simply navigate to any user's profile in the company directory list (for instance one user you just created for testing purposes), and enable the 2-Step Verification there.
To locate the Directory visit the Administration tab and Directory, then the drop-down:
And you can enable 2-Step Verification on the user profile as well:
Roll-out to all employees
Once that works, our recommended rollout option is to enforce it for all admin accounts. Just navigate to the "security" section of your administration tab, and enable 2-Step Verification there.
Once you save, it is active instantly: HR Admins will get prompted to enter your phone number, and we'll send you a token to ensure you got the phone number right, and your device is authorized.
Here is a visualization on where you can find the the set-up:
By enforcing 2-Step Verification for all admin and HR staff, this applies to future HR people as well, without having to enable 2-Step Verification for them manually. The moment they get the HR permission, the SMS or App token becomes mandatory.
In addition, you could enforce it for key employee's accounts as well. At any point you can enable 2-Step Verification for those key people one by one- Just locate them in the company directory and use the admin menu as shown above.
And lastly, you can also allow everyone to use 2-Step Verification if they like. This is also done within the security section of the admin overview, just below where you can enforce those with HR privileges to use Authy.