Best practices for logins for Temp workers.

Lauren Hekelnkaemper · August 2022

At the organization that I work at we use Temp workers year round. Does anyone else use Temp workers and want to share some tips on how you address user logins with them?

Currently we have 4 Generic Users with individual passwords that all Temp workers share. These passwords are open for all Visitor Center staff to see. But all staff, that are not Temp workers, have their own login assigned to them. What are your experiences with Temp workers and shared emails and logins?

My main concern is that while Blackbaud Altru is rolling out the Multi-Factor Authentication process how will we get that verification code? The Tempscannot use their phones, so then should a supervisor be required to use theirs? And what happens if the supervisor is not there? Anyone have any suggestions?

Chris Nungesser · August 2022

Hi @Lauren Hekelnkaemper,

SHARED ACCOUNTS
In general, I'm not a huge fan of using generic or shared accounts. And I'm wary about sharing passwords.

I think about duties the users perform and how much system access they have. Is the person handling cash or credit cards (and entering payments into Altru)? Can they view sensitive constituent information? And can they create, modify, or delete constituent information? If a user could do any of those things, I would want them to have an individual login and their own password. This allows you to track the user's activity. It provides protection for your staff member so that no one else can log in as that user. And I think it helps the team member understand they are accountable for their activity and that they can be tracked (which can prevent bad behavior issues from occurring).

You might be able to find some middle ground where you still have a semi-generic temp worker email and login (maybe: associate01, associate02, etc.). But then only that temp worker has access to that email while they are part of the team. You can reset the password and reassign the use of that email to a new staff member when a temp person leaves and another joins the team.

MULTI-FACTOR AUTHENTICATION
Regarding multi-factor authentication, that is tricky. We currently use Microsoft Single Sign-On for our Altru logins (so logging into Altru ties into the user signing into the computer). This does require infrequent two-factor authentication. That authentication either happens via an app on the user's phone or via a code sent in a text message. For this reason, we have allowed our guest services team members to have their mobile phones on them or around their workstations. This hasn't created an issue for us as all the rules still apply about not being on the phone (outside of the two-factor authentication activity).

Perhaps you can adjust where the verification code gets sent. Can your work phone numbers receive text messages? And if so, can those SMS messages be accessed from an app on the staff member's computer (or whatever device they're using to log into Altru)? If so, perhaps you could have the text confirmation sent to a work number.

I might reach out to your Customer Success Manager. They may know of some things other organizations are doing to address this challenge or they might be able to put you in touch with someone who can work through your options here.

Chris ?

Lauren Hekelnkaemper · August 2022

@Chris Nungesser Thank you so much for responding! I am going to talk to my supervisors and I will give an update when we decide what we are doing, just in case anyone else can benefit from this question. Thanks again.

Tracy Jen · September 2022

@Lauren Hekelnkaemper Thanks for posting about this. We have the same problem. We need to use OData connections for our reporting, too, so SSO isn't a good alternative. If we figure out a solution, I'll also post. --Tracy

from the MFA FAQ

Note: Single Sign-On connections cannot be used to authenticate API or OData connections from Altru. Blackbaud ID accounts enrolled in MFA have the ability to authenticate API and OData connections.

Lauren Hekelnkaemper · April 2023

@Lydia Lingerfelt

That is definitely an interesting solution. We have enough workstations here so that each staff member in a shift can have their own station and should rarely need to move workstations. So we do not have that issue.

However, we seem to be handling the MFA situation similarly. It is not as much of an issue because of the 30 day allowance.

There are no new updates on our end, other than trying to keep repeat temp workers on the same username to help better track.

I wish we could get some more stories from other orgs that use temp workers.

Bill Carey · May 2023

@Lauren Hekelnkaemper
We don't have temp workers but we do use shared logins at our admissions desk for reasons similar to what @Lydia Lingerfelt described. For MFA we are using the Authy desktop app installed on each admissions station. The app automatically generates a 6-digit code for each shared Altru login that is then entered at the MFA prompt. (We do have the browser remember each login for 30 days so our CSRs aren't having to constantly open the Authy app.)

The app is a little bit finicky to set up but not too bad. You do have to link it to a phone number the first time you set it up but you can use a landline and it will call that number and “speak” a code to you that you enter into the app. Anyway, it might be worth exploring depending on how your current MFA setup is working for you.

Lauren Hekelnkaemper · May 2023

@Bill Carey That is amazing! Thank you for sharing that app info with us!

Bill Carey · May 2023

@Lauren Hekelnkaemper
You're very welcome!

Lydia Lingerfelt · May 2023

@Bill Carey I have never heard of Authy. We are exploring using Google Voice/phone number right now, but I will keep that one in mind! Thanks

Best practices for logins for Temp workers.

Comments

Categories