we use a 3rd party SaaS provider for our HR system, and as part of the application there is a so-called self service module which allows employees to login to the system and view their payslips, which expose personal and sensitive information. Access can be achieved from any location, e.g. any Internet connection, no restrictions specific to the companies network etc. At present access is based on single-factor authentication (basic username & password) and a review of the costs associated with making the system require 2-factor authentication for access is beyond current budget. Are there any compensating controls/security techniques you can think of that minimise the need for 2-factor authentication for such a system that we can look at which may be more practical with budgets in mind. At present I am not sure what technology stack the application is based upon if that has any relevance but that is perhaps something we can review.