If Finch prompts you to authenticate using administrator credentials, a new third-party admin or accountant user may be added in your HRIS/payroll system. This helps Finch extend the life of the connection, and reduce the need for re-authentication.
If a third-party admin or accountant user is needed, you will be notified on the provider login screen below the username and password fields. If the user is removed, Finch will be disconnected.
Why does Finch create this user?
Finch creates a third-party admin or accountant user for increased reliability and auditability.
Reliability
When using admin credentials to authenticate, Finch is subject to session time-outs and other security mechanisms that can limit the longevity of a connection. For example, some systems will routinely request two-factor authentication (2FA) which will require you to re-authenticate more frequently. This can be frustrating as a user.
Instead, Finch temporarily uses the provided credentials to make a separate third-party admin or accountant user. Finch is then able to manage the connection and any re-auth requirements through this user independently.
Auditability
By provisioning an account solely for third-party use, any activity within the HRIS/payroll system is auditable and trackable to that specific user. This is especially helpful if/when applications use Finch to create and modify contributions and deductions in a payroll system.
What is the difference between a third-party admin and an accountant user?
It’s common for HRIS and payroll systems to have a special admin user type for third-parties, such as an accountant. These users generally need permission to access data or actions that are not available to a standard user (eg. SSNs, payroll history). For the purposes of Finch, accountant users are simply an example of a third-party admin.
If Finch requires you to set up a third-party admin user, we will specify what that user is called in your HRIS or payroll system in Finch Connect.
Will I be charged extra for this user?
If your HRIS or payroll system charges by seat, you may be charged for the addition of this user. If you have purchased a package with a set number of seats, this additional user could bump you into a new pricing tier.
If you are in this situation, reach out to the application requesting access to your HRIS or payroll system. They may be able to use a different authentication method.
What happens if I downgrade or delete this user?
Finch will set up third-party admin or accountant users with the permissions required for the data being requested. If this user is downgraded or deleted, Finch will no longer be able to access this data, and the connection will be broken.
An administrator with the ability to create third-party admin or accountant users will need to re-authenticate for the connection to be restored.
What are the security control implications for user-based authentication?
Finch aims to provide the best experience for our customers and end-users in terms of data utility. User-based authentication is an important feature for two key reasons:
- In many cases, API-based authentication either doesn't exist or is limited in a way that limits their usefulness to Finch customers. In these situations, user-based authentication is the only option.
- User-based authentication methods may provide access to richer data sets, allowing our customers to offer more robust integrations that provide more value to end-users.
When using a sufficiently strong password, authentication by username and password is generally considered to be as secure as an API key. The key difference between user-based access and API-based access is the mode of interaction, rather than the security footing.
When authenticating with a username and password, Finch gains temporary access to an administrator profile for the sole purpose of creating a new, separate user. This user account can then be managed and revoked by the original administrator at any time. This is fundamentally similar to providing programmatic access by API in terms of security control.