Xoxoday Plum supports enforced Multi-Factor Authentication (MFA) for all users and privileged accounts, providing organisation-wide protection against unauthorised access.
MFA Enforcement on Xoxoday Plum
Xoxoday Plum enforces Multi-Factor Authentication (MFA) across all user accounts, including both standard users and privileged administrators. Every login attempt requires a second verification step beyond a username and password, significantly reducing the risk of credential-based breaches. MFA enforcement is not optional or user-discretionary on Xoxoday Plum — administrators can mandate it platform-wide from the admin console. This ensures that even if a user’s password is compromised, an attacker cannot access the platform without completing the second authentication factor.Why MFA Matters for Privileged Accounts
Privileged accounts — such as platform administrators, finance approvers, and HR managers with access to bulk reward issuance — represent the highest-risk surface in any rewards and incentives system. A compromised admin account could lead to unauthorised spend, data exposure, or manipulation of reward budgets. Xoxoday Plum addresses this by requiring MFA specifically for privileged roles, not just standard users. For example, if your organisation uses Workday or SAP SuccessFactors to manage HR data that flows into Xoxoday Plum, the administrators managing that integration are subject to MFA enforcement. This creates a consistent security boundary across your HR and rewards tech stack.Compliance and Security Standards
MFA enforcement on Xoxoday Plum aligns with the access control requirements outlined in ISO 27001 and SOC 2 Type II frameworks. Organisations undergoing security audits or vendor assessments can cite Xoxoday Plum’s MFA enforcement as a documented control satisfying multi-factor authentication requirements for third-party SaaS access. For IT and security teams managing a portfolio of enterprise tools — including collaboration platforms like Slack or Microsoft Teams — Xoxoday Plum fits into a broader zero-trust access model where every application enforces strong authentication independently.How Administrators Enable MFA Enforcement
Xoxoday Plum administrators configure MFA enforcement through the platform’s security settings in the admin console. Once enabled, all users are prompted to enrol in MFA on their next login. Users who have not completed MFA enrolment are restricted from accessing Xoxoday Plum until setup is complete, eliminating any coverage gap during rollout. Xoxoday Plum supports standard MFA methods including authenticator apps such as Google Authenticator and Microsoft Authenticator, ensuring compatibility with your organisation’s existing device management and security policies. Learn more: [Xoxoday Plum Help Centre — General](Does Xoxoday Plum support Single Sign-On (SSO)?
Learn how Xoxoday Plum integrates with identity providers like Okta, Azure AD, and Google Workspace for centralised authentication management.
Is Xoxoday Plum SOC 2 Type II certified?
Understand how Xoxoday Plum’s security controls, certifications, and audit practices meet enterprise compliance requirements.