Multi-factor authentication (MFA) is a security measure that enhances the protection of user accounts by requiring an additional verification step beyond the standard username and password. It is particularly important for accessing sensitive information such as Personally Identifiable Information (PII), financial or HR data, or administrative and technical support accounts.

The NCEdCloud IAM Service employs MFA to safeguard user accounts by requiring a 6-digit code generated via an authentication application. This code is entered in addition to the user’s credentials during login.

MFA Implementation Methods

  1. Privileged Roles:
    MFA is mandatory for users with privileged roles, including:
    • LEA Administrator
    • LEA Data Auditor
    • LEA Help Desk roles
  2. All Staff (Opt-In):
    Public School Units (PSUs) can request MFA for all their staff to secure accounts and potentially reduce cybersecurity insurance costs.
  3. Specific Employees:
    MFA can be enabled for selected employees handling sensitive data (e.g., HR or Finance). This requires submitting a .txt file with employee UIDs and requesting the “LEA Enforce MFA” Entitlement.

FAQs about MFA in NCEdCloud

Why is MFA required?
MFA is mandatory for users in privileged roles to enhance the security of statewide IT systems and protect access to sensitive student and employee data.

How long is the 6-digit code valid?
Each code is valid for 30 seconds. If the timer is nearly up, wait for the next code to ensure sufficient time to enter it.

Can I set up MFA on multiple devices?
Yes. During the initial OTP setup, the same QR code or alphanumeric key can be used across devices. Mobile apps are recommended for convenience and security.

Do I need a mobile phone for MFA?
While mobile apps are preferred for convenience, desktop solutions like the GAuth Authenticator Chrome extension are also supported.

What happens if I use Authy?
As of March 19, 2024, the Authy Desktop application is no longer supported. To complete the transition, users must migrate to another authenticator application and reset their TOTP.

Steps for Setting Up MFA

  1. Choose an Authenticator Application:
    • Mobile Apps: Google Authenticator, RapidIdentity
    • Browser Extensions: GAuth Authenticator for Chrome
  2. Follow Setup Instructions:
    Use the provided QR code or alphanumeric key on the OTP Setup page to configure your application.
  3. Logging In with MFA:
    Enter the 6-digit code from your authenticator app on the third login screen. The OTP is typically entered only once per day for frequent logins on the same device.

Key Points:

  • MFA is critical for accounts with access to sensitive data.
  • PSUs can customize MFA implementation based on their needs.
  • Users must transition from unsupported apps, like Authy, to a supported solution by March 2024.

For further details, visit the NCEdCloud FAQs page or consult your LEA Administrator.