Multi-Factor Authentication (MFA)

Multi-factor Authentication (MFA) is used to provide additional security to user accounts. This higher level of security can be required for various reasons, including access to PII (Personally Identifiable Information) of students and/or employees, financial or HR data, or administrator or technical support accounts.

MFA in the NCEdCloud IAM Service requires a user to enter a 6-digit code in addition to their username and password, when logging into the NCEdCloud IAM Service.  This code is generated from an authentication application that you download to your mobile device, or run on your computer.

There are three ways MFA is implemented for users in the NCEdCloud IAM Service:

  1. MFA is implemented for all users with a privileged role, such as LEA Administrator, LEA Data Auditor, or one of the Help Desk roles.
  2. PSUs can “opt-in” to having MFA turned on for ALL of their staff, to not only secure their accounts, but to reduce the cost of cybersecurity insurance in some cases.
  3. PSUs can also require MFA for a subset of their staff (e.g. HR and Finance employees, administrative staff with access to user records, etc.), by uploading a file of their UIDs.

MFA for Users with Privileged Roles in the NCEdCloud IAM Service

Due to the access staff with privileged roles in NCEdCloud have, to student and employee data and their accounts, NCDPI is requiring Multi-Factor Authentication (MFA) when logging in. This requires the use of a Time-based, One Time Password  (OTP) with every login to NCEdCloud. More information on Privileged Roles is available on the Privileged Roles page.

Requesting MFA for ALL Staff in your PSU

If your PSU would like to implement MFA for ALL of your employee accounts in the NCEdCloud IAM Service, you can submit an MFA Opt-In form You can optionally request a date to turn on MFA for your PSU when you submit the form. Note, you must have the NCEdCloud LEA Administrator role to submit this request.

Requiring MFA for Specific Employees

As mentioned above, you can require selected staff in your PSU to enter a second factor (in addition to their password) when they log into their NCEdCloud account. This is accomplished by uploading a file of their UIDs (State Employee number) in a .txt file, by submitting a request for the “LEA Enforce MFA” Entitlement in the Requests module when you’re logged into the NCEdCloud RapidIdentity portal. More information on this process can be found in the document: "How to Request Multi-Factor Authentication (MFA) for Select Employees"



As a part of continuing efforts to enhance the security posture of statewide IT systems, and due to the access users with NCEdCloud privileged roles (LEA AdministratorLEA Data Auditor, LEA Help Desk, LEA Student Help Desk, School Help Desk, and School Student Help Desk) have to student and employee data, Multi-Factor Authentication (MFA) will now be required for users with any of these roles in the NCEdCloud IAM Service.  NCDPI implemented MFA for these privileged users statewide, as of 2019. More information can be found on the NCEdCloud MFA webpage.


Each 6-digit code generated by any of the authentication applications is good for 30 seconds from the time it is first displayed.  Most apps have a timer that shows you how long you have until the code “expires”.  If you only have a few seconds left, it is best to wait for a new code to be generated so you have time to enter it into the NCEdCloud OTP login screen.  This 30-second limit only applies to the time the code will be visible in the authenticator application.  Once it is entered into the NCEdCloud Login screen, you are fully authenticated using MFA and have access to the IAM Service and all applications.



The One-Time Password (OTP) is tied to your NCEdCloud ACCOUNT, not to a device.  Therefore, when you login the first time after MFA is implemented (or after an OTP Reset) and see the OTP Setup Page, the QR Code and the AlphaNumeric Code below it are what links the NCEdCloud MFA to the 6-digit code presented by your authentication application (Google Authenticator, RapidIdentity, Authy Desktop).  The QR code and the AlphaNumeric Code are "identical", as far as providing the same information to authentication apps - as long as they're taken from the same OTP Setup page.  Therefore, you can use the same authentication app on your phone to login to your iPad or your Windows machine.

If you're using Authy and have it installed on more than one device, that will work.  But you'll need to enter the same alphanumeric code you got from the original OTP Setup Page into each instance (write it down or take a picture with your phone).  However, if you're using more than one device it's going to be easier to install the app on your phone and have just one place to go for your 6-digit code.


As of November 2019, any PSU employee with NCEdCloud privileged roles (LEA Administrator, LEA Data Auditor, LEA Help Desk, LEA Student Help Desk, School Help Desk, or School Student Help Desk), will be required to use MFA and enter a One-Time Password (OTP) with each login to the NCEdCloud RapidIdentity portal.

In addition, with the increase in phishing scams and the rising cost of cybersecurity insurance, many PSUs are choosing to require MFA for a select group of employees that handle privileged data (Finance, HR, student data, etc.), and in some cases for ALL employees who access online resources.

The "One-Time" in One-Time Password (OTP) refers to the number of times you can use a specific 6-digit passcode to login (one time), not something you only enter once.  A new valid password is generated for your account every 30 seconds so that someone can't look over your shoulder and see your 6-digit code, or a "hacker" can't capture what you enter and try to reuse it at a later time.  It's purpose is to add a "second factor" in addition to your account password, to make your login more secure.  It is usually only implemented for user accounts that have access to data of multiple users, or higher risk data/information - like employee and student data in the case of NCEdCloud.

It you get an error when trying to setup your Authy app, it is likely because you are being blocked from accessing the site to register your installation.  You should contact your local Technology Support staff to see about having the site "whitelisted" in your content-filtering service (Zscaler or another application).


It depends.  There are multiple ways of obtaining the 6-digit code that must be entered when you login to NCEdCloud (if you have one of the privileged roles).  See the NCEdCloud MFA page for details on the different authenticator applications.

While you can install the Authy application on your desktop, or use the Chrome extention "GAuth Authenticator", these must be installed on each device you use to access the NCEdCloud IAM Service.  If you use multiple devices to login to NCEdCloud and you keep your phone with you during the day, it is much easier to install a mobile app on your phone and use it no matter what device you use.  The authentication applications (e.g. Google Authenticator, RapidIdentity) run on your phone and do NOT use SMS (text messages) to obtain the 6-digit code.  Therefore, if you scan the QR code on the OTP Setup screen the first time you login (or after an OTP Reset), there is no charge to your account or any data usage when you use the authentication app.



It depends on the authenticator app you choose.  Both the Google Authenticator and RapidIdentity apps that run on your mobile device use a time-based one-time password (TOTP) algorithm to provide a valid 6-digit code (it is not texted to your phone), so while the application RUNS on your phone, you are not sharing the number with anyone nor being changed any fees.  However, Authy (one of the alternate authentication apps that runs on your desktop), requires that you enter your cell number when installing and registering the application with the vendor.


The Authy Desktop authenticator is available for both Windows and macOS, and there is a Chrome extention available to install it on Chromebooks.  There is also a mobile app version available (like Google Authenticator and RapidIdentity), that runs on Android and iOS.

GAuth Authenticator is a Chrome browser extension.  If you use Chrome to access NCEdCloud, then you can use GAuth to provide your 6-digit OTP.  GAuth does not require the use of a mobile phone or entering your phone number (like Authy).  More information on GAuth can be found on the NCEdCloud MFA page at

The short answer is once per day.  Your OTP (6-digit code) is part of the login process to NCEdCloud, so if you typically login to NCEdCloud more than once during the day (you use different computers, tablets, etc. or logoff and close your browser during the day), you will need to enter your OTP on the 3rd screen of the login.  If you use the same machine throughout the day, then you’ll only login (and enter your OTP) once.

Instructions for Authentication Apps

Users required to use MFA to access NCEdCloud should prepare for setting up your One-Time Password by downloading an authentication application to either your mobile device, computer, or browser (Chrome). Decide which application you will be using (e.g. Google Authenticator, RapidIdentity, Authy Desktop, GAuth Authenticator) and select the appropriate instructions from below. Links to the applications are included in each set of instructions.