written by
Maarten Decroos

Upgrading security around the employee self-service, part 1: Logout on inactivity & High-security mode

Officient news 5 min read

Thousands of workers use our Employee Self-Service to communicate with their employer, follow-up on important HR events and check their personal employee data. To ensure that all these logins are authentic, we've got to constantly improve security around our Employee Self-Services. We have to create solutions to combat different potential risks, protecting our users and their sensitive data in the process. In this blogpost we'll tell you more about two security updates we've launched across our Employee Self-Service platform. We'll also talk to you about what risks they're designed to prevent.

This blogpost is the first part in an ongoing series talking about upgrading security around our Employee Self-Services, where we talk about newly implemented measures to combat potential security risks.

Security around our Employee Self-Service
Securing the Employee Self-Service goes beyond protecting the app alone. Encrypting data assets within the self-services, building security checks for different options to communicate data or authenticate users...

The Officient self-service holds a lot of sensitive information. An employee's wage, their benefits, labour contracts, home address, telephone number... A lot of personal information you really don't want anyone besides yourself having access too, right?

There are many different ways a system can be accessed without permission and with regards to the sensitive nature of the data we store, we have to constantly be mindful of potential security risks. This often means we need to build multiple layers of security to combat different kinds of threats, from negligence to hacking attempts. We've recently launched a couple of security updates to prevent two specific risks. What are these risks and how are these security updates going to help protect you?

1. Do you mind if I sneak a peek at your payslip?

Have you ever wondered what's the easiest way to access an account that's not your own? It's quite simple really. First someone needs to get their hands on a device you use to log in to certain accounts. You'll also have to still be logged in. Then they just need to wait out the moment you leave your desk and that's it. They're in.
What if a co-worker suddenly develops an interest for what you earn? They might just go check when you have left for the bathroom and your laptop is standing wide-open on your desk, logged in to your Employee Self-Service.

In a world full of apps and the ability to shift between multiple screens or tabs within the same device, we seem to have forgotten the function of logging out and what function it serves in the first place. Increasingly we tend to just close the screen (thinking that logs us out) or just open up another window or tab to start up some other activity. This means we tend to have multiple tabs open, one of which could still be logged into a personal account.

How can we really prevent this kind of exploit? We design a failsafe solution which forces a user to logout after a certain period of inactivity. You might have had a similar experience when using a mobile banking app?

Borrowing some ideas from the mobile banking world

With the ease of moving money between accounts through mobile applications, banks had to make sure their users and their money were protected from different kinds of attacks, even the straightforward ones. That's why they created the function that automatically generates in-app requests, checking if you are still active and want to remain logged in. If you don't respond within a certain amount of time, their application automatically logs you out to prevent someone else from accessing it. Think of what could happen if someone had stolen your phone, but you're still logged in to your banking app? At that point it wouldn't be too much work to wire-transfer a large sum (up to a certain preset limit) to another account. If you think your phone's touch lock might stop them before they can access your banking app, then maybe read this article.

Different levels of security settings for the Officient employee self-service
Security levels gives our customers the flexibility to choose for themselves which type of security measures are necessary, and be informed about what changes in usage of the self-service this will bring .

2. High-security mode: ON

Not all security risks are as straight-forward as the previous one. Most potential threats are often more complex and technical in nature. They tend to appear alongside building new features or expanding current functionality for users. But why is that?

SaaS companies want to design workflows in and around their products, that make different user experiences more intuitive. On the other hand you might want to provide multiple options to perform a similar activity, to attract a wider range of potential users. Let's first take a look at how different methods of logging in to an application, might not carry the same level of security.

A good example of this, is the added security that Single-Sign-On brings (logging in with a Google or Office 365 account). This is an account you use daily for mails, so on one hand you can authenticate devices you use regularly and on the other, it's not hard to remember a login + password you use this frequently. Additionally these accounts come with other forms of protection, such as notifying you if someone is trying to access your mail from another device. As you can see Single-Sign-On is a lot safer, then why do we still allow a normal account login which sends a password to your maibox? If we don't, that would mean we might scare of potential customers, just because they use another mail provider. How do we maximize security without scaring off potential customers?

Security levels

We allow for admins to choose between two levels of security, which once applied, become active on all self-services. Depending on which is enabled, the options you have to login will change and different kinds of security measures take effect. Default security settings means employees are able to use every method of login. If you turn on High-security mode it disables all methods of logging in, with the exception of using Single-Sign-On with your Google or Office 365 account. With Single-sign-on, companies can take security to an even higher level and enable multi-factor authentication for their employees' Google or Office 365 accounts.

Security Employee Self-Service Protecting Employee data data security
Ontdek de laatste trends in HR met concrete tips & tricks om je personeelsbeleid te optimaliseren.
Sign up for our newsletter