Brook Preloader

Boosting Your Workday Security: Implementing Step-Up Authentication

Boosting Your Workday Security: Implementing Step-Up Authentication

Introduction to Step-up Authentication

Before getting into step-up authentication, let’s understand what system security is. It refers to the comprehensive set of measures, practices, and techniques designed to protect a system or data from unauthorized access, misuse, or even destruction.

Similarly, Workday offers a unique feature in its security and authentication module: step-up authentication. It is an additional level of verification for users to access restricted items in their tenant. Consider this as an extra layer of security that helps protect against unauthorized access, ensuring that only authenticated and authorized users can perform critical tasks and items.

Why step up our tenant’s authentication? Is it worth the effort?

Implementing step-up authentication in Workday is generally worth it. Organizations with large-scale transactions or employee strengths that prioritize security in Workday should consider the effort of implementing this. It would be important to mitigate the risk and better protect the sensitive data, reducing the risk of fraud and breaches. It can be a demonstration of security which can positively impact your organization’s reputation and employee trustworthiness in handling data within the organization.

How it Works

Consider the example of a university that uses Workday for HCM and Payroll for their employees (Professors, student workers, etc.). Employees sometimes use a shared computer in a library or kiosk to download and print information like W-2s, payslips, or any personal documents from Workday. Organizations can implement step-up authentication in such scenarios to secure certain domains that control downloading and printing from these kiosks or shared computers. Employees would need to reauthorize or re-authenticate themselves (enter credentials or authenticate with SSO again in a separate session) when clicking to access W-2s or Payslips.

How is risk mitigated in this case?

Shared computers or kiosks are prone to attacks or gaining unauthorized access. When re-authenticating, Workday will open another session to log in either via credentials or SSO (based upon tenant configuration) and then the user will be able to access the personal documents or domains secured through step-up configuration. Certain methods are:

  • Requiring multiple forms of verification, such as a password plus a temporary code sent to a mobile device or generated by an authenticator app, will protect you from any unauthorized access.
  • Dynamically adjusting authentication requirements based on the risk profile of the activity. Low-risk actions may require basic authentication while high-risk actions would require additional verifications using step-up configuration. This will prevent unnecessary vulnerabilities.

Setting it Up: Manage Authentication Policy

In this task, you can configure step-up authentication on an existing authentication policy or a new policy.  At the bottom of the authentication policy, you will see an option for adding a step-up configuration. In that task, you will need to name your configuration, define session time, and exempt any security groups you wish to exclude from this configuration. With that select the default idP and step up the authentication type which will default in from your tenant-level security settings. Define business process types, security domains, or sensitive data groups you want to step up authentication on and activate all pending authentication changes.

Additional Considerations: Proceed with caution!

  • In addition to the above configurations, some tenant-level security settings may need to be modified. In the SAML Identity provider, Always Require idP Authentication should be checked with ForceAuthn for step-up authentication to work.  This will enable idP authentication every time a privileged session is opened.
  • The idP that Workday uses for stepping up authentication for accessing secured domains or business processes must be configured for SP-Initiated SAML.

Note: Please check with your IT department or idP provider in case there are any additional layers or any specific configuration that can break because of enabling “Always Require idP Authentication”

Testing and Roll Out

  1. Test the step-up authentication setup with a pilot group of people before full deployment. Ensure the process is smooth and does not disrupt the normal business operations.
  2. Inform and train users about the new authentication process. Rolling out a user guide would be beneficial in explaining the process and why it is important to secure the information.

For those who think data security is of utmost importance, please reach out to Kognitiv for assistance in getting this functionality set up quickly and rolled out in your tenant to suit your security needs. 


  • Anant Patwa

    Anant Patwa started as an intern in the Workday ecosystem in 2018 and has grown his knowledge and experience of Workday operations and Workday configurations. Since joining Kognitiv in 2022, Anant has led several Phase X Implementations and focused on supporting clients in HCM Core, Recruiting, Talent, Advance Compensation, BIRT and Reporting.

    View all posts