Everything you need to know about Workday’s Trusted Devices feature
The usage of an ERP involves a variety of users constantly signing in and out from it. During all the stages that the system goes through, from implementation to support, there are many participants interacting with it, from company employees or contingent workers, to collaborators such as consultants. Not having control over which of all these accesses are from trusted sources could be a problem.

Because of this and given that, according to Workday, account takeovers and identity theft are at an all-time high for enterprise applications, it is important to take measures in order to control what devices are accessing the tenants.

Available since Workday 32, Trusted Devices is a functionality that allows you to address this problem by enabling you to easily identify unusual sign-on behavior.

How to activate it? How does it work?

The feature, which comes enabled by default since it was incorporated, allows users to quickly detect unauthorized sign in attempts, therefore helping to prevent any account takeovers. 

When it is enabled, end users will be prompted to mark the devices they log in from as trusted.

Devices are trusted for 180 days. If the user chooses to skip the step, they will be prompted again on their next sign-in from a non-trusted device.

Trusted Devices is available for the following authentication methods into Workday:

  • SAML Single Sign-On
  • OpenID Connect
  • Delegated Authentication
  • Native Workday Authentication

 

Detailed operation
Every time a user signs in from a new device, the options to trust it or skip the validation are shown.

It is important to notice that the system considers any new combination of physical device-browser as a new device. So, if for example a user accesses from the same computer but with a different browser, it will count as a new device

A security alert email notification is sent to the user on these occasions

  1. A new device is registered as trusted.
  2. The trusted device registration is skipped.

 

Manage Trusted Devices
End users can view and remove trusted devices by going to the Worker Profile menu and clicking on My Account > Manage Trusted Devices, or directly by using the Manage Trusted Devices task.

Signons and Attempted Signons

Administrators can use the Signons and Attempted Signons report to understand if the sign in is from a trusted or not.

Disabling the whole thing

Some clients might want to turn off this feature

It can be done by going to the Edit Tenant Setup – Security task and checking the Disable Trusted Devices check box.

 

Disabling Notifications

It is also possible to disable the email notifications instead of the whole tool. This is done by going to the Edit Tenant Setup – Security task and unchecking the Enable Security Emails option.

However, this practice is highly discouraged, because it also deactivates the following notifications:

  • Password resets
  • OTP notifications
  • X.509 and PGP certificate expiration notifications

Opting out of Trusted Devices: Authentication Policies

If opting out of trusted devices, having a tightly designed authentication policy strategy is more important than ever.

Authentication policies allow us to more closely control user authentication.

The following points should be taken into account:

  • Access restrictions
      • Based on variables such as Network, Device and Security Group
  • Multifactor Authentication
      • Requires users to provide more than 1 type of identity verification to access Workday. Example: Username and password + smartphone passcode.
  • Delegated Authentication
    • Backup authentication plan in case the third-party delegated authentication system goes offline. For example: Having Security Assertion Markup Language (SAML) authentication from any network for everyday use and user name and password authentication from the corporate network for high-priority users. This way the high-priority users can perform critical tasks in case the delegated authentication system is offline.
  • Regular monitoring of these reports:
    • Signons and Attempted Signons
    • Workday Accounts Currently Locked Out By Excessive Failed Signon Attempt

At BNB we have the expertise to help you with all the phases of your Workday deployment. Be it with or without the Trusted Devices feature presented today, we can assist in building a secure framework for user authentication, so that you can keep your focus on driving your business towards proficiency and productivity.

Stefano Di Domenico