How to Keep Your Account Safe
Your account has access to great deals of information. Whether it is only your personal information, or all employees, it is critical to have controls protecting this access.
Keeping your username and passwords, your credentials, confidential is the first line of defense significant control for protecting your online accounts.
- Use longer passwords with a mix of letters, numbers and special characters that is not guessable. Passwords should not be basic like your child’s name, pet’s name, or company name, or even like words found in the dictionary.
- Do not reuse your Paycor password for accounts across multiple services: With data breaches divulging hundreds of millions of passwords across a multitude of websites, account compromises are frequently triggered by password reuse. Particularly critical is ensuring substantially different password on your email and Paycor email accounts. As an example, two very prominent CEOs have had their social media accounts compromised due to password reuse and past password leaks.
- Do not share your password with anyone: This includes your co-workers, your CPA, or even us. If you are aware or think your password may have been noticed by someone, please change it.
- Watch out for phishing attacks or fake login sites: Emails containing links to a fake login screen are a possible means for stolen credentials.
Paycor’s systems allow passwords up to 120 characters long and require passwords to be changed at least annually.
Multifactor Authentication is the best answer to combatting compromised credentials. Multifactor authentication (MFA) is a method for user identification that requires more than one method of authentication from something the person knows (password), something the person has (security token), or something the person is (biometrics). As an example: when you swipe a debit card your bank will also require a PIN. This is an example of a transaction protected by a second factor. You have your debit card, and know your PIN. If someone steals your debit card, they shouldn’t know your PIN. If someone else watches you type in your PIN, they should not have your debit card.
The most common implementation of this is a two-step authentication requiring the user to know a temporary code sent via text message, phone call, or email message. By knowing this one-time password (OTP), you prove you have access to the email or phone. For a user to get into your account, they had to have access to your machine, your email/phone, and your username and password.
Our implementation will also allow you to remember your device for up to 90 days to prevent being prompted each sign-in from a known device. If you would like to be prompted each time, you can uncheck this value.
Because the code is sent via email or phone, it is important to protect access to these devices. If you lose control of these devices, a malicious user could use them to authenticate as you. We strongly recommend enabling MFA (or more precisely) two-step authentication on the email accounts you use with Paycor.com. Emails are used for account recovery and password reset flows. If a malicious user has access to your email, they could potentially initiate a password reset and gain access to your account that way.
Paycor requires two-step authentication for all user accounts that have administrator-level access. Clients may request this to be enabled for their employees.