Thousands of employees use the Employee Self-Service to communicate with their employer, follow-up on essential HR tasks and consult or edit their employee data. In this blogpost we'll tell you more about the latest security upgrade we launched for the self-service: Using pincodes as a secure and user-friendly login method.
This blogpost is the second part in a series about how we're systematically improving security around our employee self-services. We'll give you more insights around recent measures we took to prevent potential security risks. The first part you can find here.
If someone other than the employee, could access their self-service, they would be able to access a lot of sensitive data. Their wage package, bank account number, telephone number or even your home address.
This means security is an absolute priority at Officient. That's why we made it possible to login to the self-service using a unique pincode.
What are the benefits of using pincodes?
By now everyone is acquainted with the use of pincodes. You have one to use your bank card and your ID card is encrypted with a pincode. Now different mobile apps, including Officient, are using pincodes to offer a user-friendly and secure way to login.
What are some of the advantages of using a pincode?
Pincodes are tied to a device
Your pincode will always be tied to a device, which is also linked to an account. The pincode for your bank card is linked to the physical card and is connected to your bankaccount(s). This is the reason why the pincode for your bank card differs from the pin code you use to login to your banking app.
A cash machine will read a random code from your physical bank card (the device). This code will only match a specific pincode, which you then have to input before you can access your bank account. Officient works in a similar way. The first time you setup your pincode, a random code will be generated which only matches this pincode, from the device you are logging in from. Next time when you want to login from the same device, this pincode is sent in tandem with the random code stored on your device. You can only gain access when both codes have been submitted and they match each other. Every authenticated device will also be listed under 'Settings'.
There's another advantage about the fact dat pincodes are connected to a device. Pincodes could be intercepted through a network or stolen from a server just like passwords, but without the matching code on the local device it's useless. That means you would have to get a hold of the physical device after having intercepted the pincode, which is less likely to happen. Even if that happens, your physical device may be locked with a different pincode from the one you use to login to Officient.
Access is denied after multiple attempts of logging in through pincode.
Have you ever inputted your pincode more than three times to unlock your sim card, after which your phone got blocked and you'd have to input a PUK code* to continue?
* Personal Unlocking Key (PUK) or Personal Unblocking Code (PUC)
The same principle applies to all login methods which use a pincode. When your bank card gets swallowed in the cash machine after three wrong entries, you'll have to go by your bank to confirm your identity and have a new card sent to your home address. "Going by the bank and confirming your identity" is in this case the authentication method for a new card, what the PUK code is to sim cards.
With Officient the same principles apply. You have a maximum of three attempts to submit your pincode. When all three are wrong, all login credentials are wiped from the device. After which a different authentication has to take place. In our case this means you'll have to login again through your Google or Office 365 account, or have a reset link sent to another mailbox.
Pincodes are easier to remember and to use in comparison with passwords
Because passwords aren't tied to a device and have to be checked by connection, extra measures need to be taken to prevent brute force hacking*.
* Brute force hacking is the mechanical or algorithmic attempting of every possible combination in hopes of finding out the right login credentials.
These extra measures are for example, why you have to come up with a password that has a minimum amount of characters, uppercase and lowercase, numbers and so on. This is because a program can be used to infinitely test passwords to try and login, Whereas pincodes lock after three attempts and automatically delete login credentials.
As a result, passwords are a lot less user-friendly to login with. It's logical when you compare inputting 8+ characters with uppercase, lowercase, numbers... Than it is inputting a 4 or 5-digit code. This also means it's a lot easier to remember this code in comparison to a password. You wouldn't be the first to forget which login matches which password.
It's also unnecessary to input your e-mailadres every time. This has to do with the fact that your pincode is linked to your device. The device remembers which account was authenticated when the pincode was setup the first time. After three wrong attempts all this information will be deleted as well.