Multi-Factor Authentication (MFA)

Multi-factor Authentication (MFA) is used to provide additional security to user accounts. This higher level of security can be required for various reasons, including access to PII (Personally Identifiable Information) of students and/or employees, financial or HR data, or administrator or technical support accounts.

MFA in the NCEdCloud IAM Service requires a user to enter a 6-digit code in addition to their username and password, when logging into the NCEdCloud IAM Service.  This code is generated from an authentication application that you download to your mobile device, or run on your computer.

There are three ways MFA is implemented for users in the NCEdCloud IAM Service:

  1. MFA is implemented for all users with a privileged role, such as LEA Administrator, LEA Data Auditor, or one of the Help Desk roles.
  2. PSUs can “opt-in” to having MFA turned on for ALL of their staff, to not only secure their accounts, but to reduce the cost of cybersecurity insurance in some cases.
  3. PSUs can also require MFA for a subset of their staff (e.g. HR and Finance employees, administrative staff with access to user records, etc.), by uploading a file of their UIDs.

MFA for Users with Privileged Roles in the NCEdCloud IAM Service

Due to the access staff with privileged roles in NCEdCloud have, to student and employee data and their accounts, NCDPI is requiring Multi-Factor Authentication (MFA) when logging in. This requires the use of a Time-based, One Time Password  (OTP) with every login to NCEdCloud. More information on Privileged Roles is available on the Privileged Roles page.

Requesting MFA for ALL Staff in your PSU

If your PSU would like to implement MFA for ALL of your employee accounts in the NCEdCloud IAM Service, you can submit an MFA Opt-In form You can optionally request a date to turn on MFA for your PSU when you submit the form. Note, you must have the NCEdCloud LEA Administrator role to submit this request.

Requiring MFA for Specific Employees

As mentioned above, you can require selected staff in your PSU to enter a second factor (in addition to their password) when they log into their NCEdCloud account. This is accomplished by uploading a file of their UIDs (State Employee number) in a .txt file, by submitting a request for the “LEA Enforce MFA” Entitlement in the Requests module when you’re logged into the NCEdCloud RapidIdentity portal. More information on this process can be found in the document: "How to Request Multi-Factor Authentication (MFA) for Select Employees"

FAQs

 

As a part of continuing efforts to enhance the security posture of statewide IT systems, and due to the access users with NCEdCloud privileged roles (LEA AdministratorLEA Data Auditor, LEA Help Desk, LEA Student Help Desk, School Help Desk, and School Student Help Desk) have to student and employee data, Multi-Factor Authentication (MFA) will now be required for users with any of these roles in the NCEdCloud IAM Service.  NCDPI implemented MFA for these privileged users statewide, as of 2019. More information can be found on the NCEdCloud MFA webpage.

 

Each 6-digit code generated by any of the authentication applications is good for 30 seconds from the time it is first displayed.  Most apps have a timer that shows you how long you have until the code “expires”.  If you only have a few seconds left, it is best to wait for a new code to be generated so you have time to enter it into the NCEdCloud OTP login screen.  This 30-second limit only applies to the time the code will be visible in the authenticator application.  Once it is entered into the NCEdCloud Login screen, you are fully authenticated using MFA and have access to the IAM Service and all applications.

 

 

The One-Time Password (OTP) is tied to your NCEdCloud ACCOUNT, not to a device.  Therefore, when you login the first time after MFA is implemented (or after an OTP Reset) and see the OTP Setup Page, the QR Code and the AlphaNumeric Code below it are what links the NCEdCloud MFA to the 6-digit code presented by your authentication application (Google Authenticator, RapidIdentity, GAuth, etc.).  The QR code and the AlphaNumeric Code are "identical", as far as providing the same information to authentication apps - as long as they're taken from the same OTP Setup page.  Therefore, you can use the same authentication app on your phone to login to your iPad or your Windows machine.

If you're using a Desktop or Browser authenticator app and have it installed on more than one device, that will work.  However, you'll need to enter the same alphanumeric code you got from the original OTP Setup Page into each instance (write it down or take a picture with your phone).  However, if you're using more than one device it's going to be easier to install the app on your phone and have just one place to go for your 6-digit code.

 

As of November 2019, any PSU employee with NCEdCloud privileged roles (LEA Administrator, LEA Data Auditor, LEA Help Desk, LEA Student Help Desk, School Help Desk, or School Student Help Desk), will be required to use MFA and enter a One-Time Password (OTP) with each login to the NCEdCloud RapidIdentity portal.

In addition, with the increase in phishing scams and the rising cost of cybersecurity insurance, many PSUs are choosing to require MFA for a select group of employees that handle privileged data (Finance, HR, student data, etc.), and in some cases for ALL employees who access online resources.

The "One-Time" in One-Time Password (OTP) refers to the number of times you can use a specific 6-digit passcode to login (one time), not something you only enter once.  A new valid password is generated for your account every 30 seconds so that someone can't look over your shoulder and see your 6-digit code, or a "hacker" can't capture what you enter and try to reuse it at a later time.  It's purpose is to add a "second factor" in addition to your account password, to make your login more secure.  It is usually only implemented for user accounts that have access to data of multiple users, or higher risk data/information - like employee and student data in the case of NCEdCloud.

 

It depends.  There are multiple ways of obtaining the 6-digit code that must be entered when you login to NCEdCloud (if you have one of the privileged roles).  See the NCEdCloud MFA page for details on the different authenticator applications.

While you can install the Chrome extension "GAuth Authenticator" or another desktop or browser app, these tools must be installed on each device you use to access the NCEdCloud IAM Service.  I

f you use multiple devices to log into the NCEdCloud and you keep your phone with you during the day, it is much easier to install a mobile app on your phone and use it no matter what device you log into.  The authentication applications (e.g. Google Authenticator, RapidIdentity) run on your phone and do NOT use SMS (text messages) to obtain the 6-digit code.  Therefore, if you scan the QR code on the OTP Setup screen the first time you login (or after an OTP Reset), there is no charge to your account or any data usage when you use the authentication app.

 

 

It depends on the authenticator app you choose.  Both the Google Authenticator and RapidIdentity apps that run on your mobile device use a time-based one-time password (TOTP) algorithm to provide a valid 6-digit code (it is not texted to your phone). So while the application RUNS on your phone, you are not sharing the number with anyone, nor being changed any fees.  However, other authentication vendors may required you to enter your phone number when registering for the application.

 

GAuth Authenticator is a Chrome browser extension.  If you use Chrome to access NCEdCloud, then you can use GAuth to provide your 6-digit OTP.  GAuth does not require the use of a mobile phone/device or entering your phone number.  More information on GAuth can be found on the NCEdCloud MFA page at /multi-factor-authentication-mfa, or under the MFA topic in the Opt-In Features Menu at the top of the page.

The short answer is once per day.  Your OTP (6-digit code) is part of the login process to NCEdCloud, so if you typically login to NCEdCloud more than once during the day (you use different computers, tablets, etc. or logoff and close your browser during the day), you will need to enter your OTP on the 3rd screen of the login.  If you use the same machine throughout the day, then you’ll only login (and enter your OTP) once.

Instructions for Authentication Apps

Users required to use MFA to access NCEdCloud should prepare for setting up your One-Time Password by downloading an authentication application to either your mobile device, or browser (Chrome). Decide which application you will be using (e.g. Google Authenticator, RapidIdentity, GAuth Authenticator) and select the appropriate instructions from below. Links to the applications are included in each set of instructions.

Authy App Unsupported

The Authy Desktop application is no longer supported by the NCEdCloud IAM Service as of March 19th, 2024 (the date Twilio announced end-of-life and shut down). Users required to use MFA will need to migrate to a different authenticator application in order to log into NCEdCloud.  An LEA Administrator or Help Desk user within your PSU must reset the TOTP in the People module. This will allow the users to set up their new authenticator application of choice.


The NCEdCloud team recommends that current Authy Desktop users migrate to an authenticator application on a mobile device if possible. Authenticator apps take a very small amount of space and do not require a data connection or cellular service to generate codes. Using a mobile device enhances security by separation and makes it easier for users to log in across multiple devices.

Full announcement from NCDPI with links to Authenticator applications