Xoxoday Plum supports two-factor authentication (2FA) during the reward redemption process, delivering one-time verification codes via SMS or email to the registered primary or secondary account holder.
How 2FA Works During Redemption
When 2FA is enabled, the redemption flow triggers a one-time verification code sent directly to the registered mobile number or email address of the account holder. The recipient must enter that code before the redemption is confirmed and processed. This verification step applies to both primary and secondary account holders configured within your organisation’s Xoxoday Plum instance. Administrators control 2FA preferences through the platform’s security settings, selecting SMS or email delivery based on your organisation’s communication and compliance policies. No changes are required on the end user’s device — the code arrives through the channel already registered to the account.Meeting Compliance and Governance Requirements
For organisations operating under frameworks such as ISO 27001 or SOC 2 Type II, 2FA is frequently a mandatory control for workflows involving financial or incentive transactions. Xoxoday Plum’s built-in 2FA support gives security and IT teams a verifiable, auditable authentication event at the point of redemption — a clear control point for internal audits and external assessments. Teams integrating Xoxoday Plum with HR platforms like Workday, SAP SuccessFactors, or Darwinbox can align redemption authentication with their broader identity and access management policies, maintaining a consistent security posture across the employee lifecycle.A Practical Use Case
Consider an organisation running a quarterly sales incentive programme. When a sales representative initiates a high-value reward redemption, enabling 2FA ensures that action is explicitly confirmed by the registered account holder — reducing exposure to unauthorised redemptions or account misuse. The verification code arrives in real time via the preferred channel, and the session proceeds only after the code is validated successfully. This control is especially valuable in programmes with high-value reward catalogues or those accessible to distributed, remote teams across multiple geographies, where the risk profile for account-level actions is elevated.Primary and Secondary Account Holders
Xoxoday Plum’s 2FA configuration covers both primary and secondary account holders. Organisations can extend secure redemption verification to delegated users without compromising oversight. Each redemption event remains traceable to a confirmed, authenticated account action — supporting both security posture and internal accountability requirements. Learn more: [Xoxoday Plum Help Centre — Authentication](Single Sign-On (SSO) Configuration
Learn how Xoxoday Plum supports SSO via SAML 2.0 and OIDC for centralised identity management across your organisation.
Data Security and Compliance Standards
Understand how Xoxoday Plum maintains ISO 27001 and SOC 2 Type II compliance to protect reward and employee data.