Multi-Factor Authentication (MFA)

As a part of continuing efforts to enhance the security posture of statewide IT systems, and due to the access users with NCEdCloud privileged roles (LEA Administrator, LEA Data Auditor, LEA Help Desk, LEA Student Help Desk, School Help Desk, and School Student Help Desk) have to student and employee data, Multi-Factor Authentication (MFA) will now be required for users with any of these roles in the NCEdCloud IAM Service.  NCDPI implemented MFA for these privileged users statewide, as of 2019. More information can be found on the NCEdCloud MFA webpage.

Each 6-digit code generated by any of the authentication applications is good for 30 seconds from the time it is first displayed.  Most apps have a timer that shows you how long you have until the code “expires”.  If you only have a few seconds left, it is best to wait for a new code to be generated so you have time to enter it into the NCEdCloud OTP login screen.  This 30-second limit only applies to the time the code will be visible in the authenticator application.  Once it is entered into the NCEdCloud Login screen, you are fully authenticated using MFA and have access to the IAM Service and all applications.

The One-Time Password (OTP) is tied to your NCEdCloud ACCOUNT, not to a device.  Therefore, when you login the first time after MFA is implemented (or after an OTP Reset) and see the OTP Setup Page, the QR Code and the AlphaNumeric Code below it are what links the NCEdCloud MFA to the 6-digit code presented by your authentication application (Google Authenticator, RapidIdentity, GAuth, etc.).  The QR code and the AlphaNumeric Code are "identical", as far as providing the same information to authentication apps - as long as they're taken from the same OTP Setup page.  Therefore, you can use the same authentication app on your phone to login to your iPad or your Windows machine.

If you're using a Desktop or Browser authenticator app and have it installed on more than one device, that will work.  However, you'll need to enter the same alphanumeric code you got from the original OTP Setup Page into each instance (write it down or take a picture with your phone).  However, if you're using more than one device it's going to be easier to install the app on your phone and have just one place to go for your 6-digit code.

As of November 2019, any PSU employee with NCEdCloud privileged roles (LEA Administrator, LEA Data Auditor, LEA Help Desk, LEA Student Help Desk, School Help Desk, or School Student Help Desk), will be required to use MFA and enter a One-Time Password (OTP) with each login to the NCEdCloud RapidIdentity portal.

In addition, with the increase in phishing scams and the rising cost of cybersecurity insurance, many PSUs are choosing to require MFA for a select group of employees that handle privileged data (Finance, HR, student data, etc.), and in some cases for ALL employees who access online resources.

The "One-Time" in One-Time Password (OTP) refers to the number of times you can use a specific 6-digit passcode to login (one time), not something you only enter once.  A new valid password is generated for your account every 30 seconds so that someone can't look over your shoulder and see your 6-digit code, or a "hacker" can't capture what you enter and try to reuse it at a later time.  It's purpose is to add a "second factor" in addition to your account password, to make your login more secure.  It is usually only implemented for user accounts that have access to data of multiple users, or higher risk data/information - like employee and student data in the case of NCEdCloud.

It depends.  There are multiple ways of obtaining the 6-digit code that must be entered when you login to NCEdCloud (if you have one of the privileged roles).  See the NCEdCloud MFA page for details on the different authenticator applications.

While you can install the Chrome extension "GAuth Authenticator" or another desktop or browser app, these tools must be installed on each device you use to access the NCEdCloud IAM Service.  I

f you use multiple devices to log into the NCEdCloud and you keep your phone with you during the day, it is much easier to install a mobile app on your phone and use it no matter what device you log into.  The authentication applications (e.g. Google Authenticator, RapidIdentity) run on your phone and do NOT use SMS (text messages) to obtain the 6-digit code.  Therefore, if you scan the QR code on the OTP Setup screen the first time you login (or after an OTP Reset), there is no charge to your account or any data usage when you use the authentication app.

It depends on the authenticator app you choose.  Both the Google Authenticator and RapidIdentity apps that run on your mobile device use a time-based one-time password (TOTP) algorithm to provide a valid 6-digit code (it is not texted to your phone). So while the application RUNS on your phone, you are not sharing the number with anyone, nor being changed any fees.  However, other authentication vendors may required you to enter your phone number when registering for the application.

GAuth Authenticator is a Chrome browser extension.  If you use Chrome to access NCEdCloud, then you can use GAuth to provide your 6-digit OTP.  GAuth does not require the use of a mobile phone/device or entering your phone number.  More information on GAuth can be found on the NCEdCloud MFA page at /multi-factor-authentication-mfa, or under the MFA topic in the Opt-In Features Menu at the top of the page.

The short answer is once per day.  Your OTP (6-digit code) is part of the login process to NCEdCloud, so if you typically login to NCEdCloud more than once during the day (you use different computers, tablets, etc. or logoff and close your browser during the day), you will need to enter your OTP on the 3rd screen of the login.  If you use the same machine throughout the day, then you’ll only login (and enter your OTP) once.