Authentication Types
These are the two main authentication methods dealt with in Workday.
Username/Password and SAML/SSO.
Workday's SMS messages for MFA are now sent through which third-party service? A. An email-to-SMS gateway B. DUO C. Twilio D. Google Authenticator
(C) Twilio.
"Large majority" of the authentication cases are related to which common user issue? A. SSO errors B. Password resets C. Browser cookie issues D. Mobile PIN lockouts
(B) Password resets.
An administrator would use this task to view a history of both successful and failed logins.
Signons and Attempted Signons'.
This authentication method, a form of single sign-on, is currently only supported for Google: A. OAuth B. SAML C. Delegated Authentication D. OpenID Connect
(D) OpenID Connect.
Which of the following MFA methods is in the process of deprecation? A. DUO MFA B. One-Time Passcode SMS C. Challenge Questions D. Authenticator App
(C) Challenge Questions.
Issues with third-party authenticator apps not working are usually due to this.
Timing issues (the app or device time is out of sync).
An admin would configure session timeout settings in addition to password rules in this task: A. Edit Tenant Setup - Security B. Manage Authentication Policy C. Mass User Maintenance D. Maintain Password Rules
(D) 'Maintain Password Rules'.
This authentication method is in the process of being deprecated and its issues are typically external to Workday.
Delegated Authentication.
The only technical requirement for a third-party authenticator app to be compatible with Workday is that it supports this protocol.
The Timed One Time Passcode (TOTP) protocol.
Before the switch to Twilio, delays with SMS OTP were commonly due to this action from mobile carriers like AT&T and T-Mobile.
Throttling messages from the email-to-SMS gateway.
The 'Trusted Devices' feature relies on what being stored in a user's browser to remember their choice and stop notifications? A. A session token B. A digital certificate C. A browser extension D. A cookie
(D) A cookie.
If a user's primary authentication is SSO, what must they do first before they can set up Mobile PIN or Biometric? A. Install a third-party app B. Log in using their SAML provider C. Reset their native password D. Contact their IT department
(B) Log in using their SAML provider.
While the Auth team can review logs for DUO MFA, many issues require the user to take this action.
Reach out to their vendor (DUO).
Which specific task should an administrator use for decoding SAML messages? A. Validate SAML Response B. Signons and Attempted Signons C. Maintain IP Ranges D. Edit Tenant Setup - Security
(A) 'Validate SAML Response'.
For Sev 1 or 2 issues, you should post in #authsec-public and also tag this group in this specific Slack channel.
@authsec-on-call and/or post in #omssec-on-duty.
This is the only method that supports a Yubikey, though not yet for mobile devices.
Passwordless Authentication.
If a customer sets up MFA through their SSO provider, this is where that configuration takes place.
Completely outside of Workday.
If a user receives a trusted device email notification where the tenant is from 'workday', the case should be routed here because it is this type of email.
Customer Care
Tenant refreshes from an SSO-enabled tenant to a non-SSO tenant can cause login issues because this is also copied as part of the refresh.
Native passwords.