Set Up Security

Employee Access Center offers several features to ensure the security of users' personal data and control access to the system. Following is a summary of EAC's security features:

• Requiring users to answer security questions before they can reset their EAC passwords. This option, which only applies if your site does not use Active Directory user authentication, initiates a series of security procedures as outlined below in the section on security questions.

• Masking Social Security numbers and direct deposit account numbers to hide this information from others.

• Sending email notifications to employees and administrators to alert them when important personal data is changed in EAC.

This topic provides the steps for setting up these security measures.

Enable Security Questions to Reset Passwords

If your organization does not use Active Directory user authentication, users are required to answer security questions before being allowed to reset their EAC passwords. Users can select questions and enter answers when they access EAC either as a new employee or the first time they log in after this feature is enabled. They also can change their questions at any time while using EAC.

Choosing to use security questions in Step 3 of the following procedure has these effects:

• The Social Security field is removed from the Forgotten Password page.

• EAC administrators can delete a user's questions. This requires the user to enter a new set of questions and answers the next time they log in.

• When a user clicks the Forgot your Password? link on EAC's Login page, an email with a time-sensitive link will be sent, allowing the user to reset their password if they successfully answer their security questions.

1. From the Administration menu, select Profile.

2. In the Profile Maintenance page, select the Login Setup category. For related information, refer to Login Setup.

3. Select Edit for option 2617 - Use Security Questions for Password Reset, and then select Yes to use security questions.

4. Select Save.

Set the Number of Security Question Attempts

 If your organization elects to use security questions, you can set the number of attempts a user has to successfully answer their questions. If a user exceeds this, the user is locked out and needs to contact their administrator for access.

1. From the Administration menu, select Profile.

2. In the Profile Maintenance page, select the Login Setup category. For related information, refer to Login Setup.

3. Select Edit for option 2618 - Security Question Attempts Allowed, and then enter a number from 2 to 10.

4. Select Save.

Send Notifications to EAC Users and Administrators on Personal Data Changes

 When important employee data is changed in EAC, an email notification will be sent to the EAC user affected as well as to the EAC administrator. You can choose whether the notifications should be sent to personal email addresses, work email addresses, or both.

Notifications are triggered by the following actions in EAC:

• Employee Demographic page data changes

• Employee Tax Information page data changes

• Employee Direct Deposit data additions and changes

• Employee Dependent data additions and changes

• Employee Beneficiary data additions and changes

• Employee password resets by users or administrators

• Forgot Password link is used

Send Notifications to EAC Users and Administrators

1. From the Administration menu, select Profile.

2. In the Profile Maintenance page, select the Email Address Setup category. For related information, refer to Email Notification Setup.

3. Click Edit for option 2616 - Notify Employee on Update, and then select:

   • None - to prevent emails from being sent.

   • Personal Email Address - to send emails to personal addresses.

   • Work Email Address - to send emails to work addresses.

   • Both - to send emails to both types of addresses.

4. Click Save.

Mask Direct Deposit Account Numbers

Direct deposit account numbers can be completely masked in EAC pages.

1. From the Administration menu, select Profile.

2. In the Profile Maintenance page, select the Benefits Setup category. For related information, refer to Benefits Setup.

3. Click Edit for option 2614 - Mask Direct Deposit Account Number, and then select Yes to mask direct deposit account numbers.

4. Click Save.

Mask Social Security Numbers

Employees' Social Security numbers can be partially or completely masked in W2 and W2-C forms. Masking can also be applied to employee and dependent Social Security numbers in 1095 forms.

1. From the Administration menu, select Profile.

2. In the Profile Maintenance page, select the Other Setup category. For related information, refer to Other Setup.

3. Click Edit for option 2615 - SSN Masking Method on Forms, and then select:

   • Show Full Social Security Number - to prevent masking.

   • Mask Social Security Number Using XXX-XX-9999 Format - to mask all digits except the last four.

   • Mask Full Social Security Number - to mask all nine digits in XXX-XX-XXXX format.

4. Select Save.

Set the Number of Invalid Login Attempts and Auto-unlock Time

You can set the number of login attempts a user can make before the system locks the user out. As an additional security option, you can define the number of minutes a user must wait until the system will automatically unlock the user's account. These features are optional and can only be used if Active Directory is not enabled.

1. From the Administration menu, select Profile.

2. In the Profile Maintenance page, select the Login Setup category. For related information, refer to Login Setup.

3. To set the number of login attempts, click Edit for option 2619 - Invalid Login Attempts Allowed, and then enter a number from 0-99. By default the system will have 0 entered. A value of zero indicates the lockout feature is disabled and the user will have an unlimited number of login attempts.

4. Select Save.

5. If the number of login attempts is defined, you can additionally define the length of time before the system will auto-unlock and allow the user to login without an administrator unlocking the account. To set the auto-unlock time, click Edit for option 2620 - Invalid Login Attempts Auto-Unlock, and then enter a number from 0-1440. This indicates minutes. By default the system will have 0 entered. A value of 0 indicates there is no auto-unlock time and the administrator must always unlock accounts.

6. Select Save.

Set Number of Days to Expire a Password

You can set the number of days a password remains valid before the system forces the user to set a new password. This feature is optional and can only be used if Active Directory is not enabled.

1. From the Administration menu, select Profile.

2. In the Profile Maintenance page, select the Login Setup category. For related information, refer to Login Setup.

3. To set the number of login attempts, select Edit for option 2621 - Password Expires in Days, and then enter a number from 0-365. By default the system will have 0 entered. A value of zero indicates that passwords never expire.

4. Select Save.