Multi-Factor Authentication (MFA)

An additional level of security can be provided to user accounts using multi-factor authentication (MFA) in NCEDCloud Rapididentity portal. In addition to PII (Personally Identifiable Information) of students and/or employees, financial or HR information, administrator and technical support accounts, etc., this higher level of security can be required for a number of reasons.

A user must enter a six-digit code, as well as their username and password, to log into the NCEdCloud IAM Service when using MFA. In order to generate this code, you need to download an authentication application and run it on your computer or mobile device.

Currently, the NCEdCloud IAM Service implements MFA in three ways:

  • Every user with a privileged role, such as LEA Administrator, LEA Data Auditor, or Help Desk administrator, is required to use MFA.
  • MFA can be turned on in some cases by public universities to reduce the cost of cyber insurance, in addition to securing their employees’ accounts.
  • PSUs may also upload a file of UIDs for a subset of staff members (e.g. HR and Finance employees, administrative staff with access to user records, etc.).
  • Support for Multi-Factor Authentication for Users with Privileged Roles in NCEdCloud IAM.
  • NCDPI requires Multi-Factor Authentication (MFA) when logging in to NCEdCloud due to the access staff with privileged roles have to student and employee data, as well as their accounts. You must use a One-Time Password (OTP) whenever you log into NCEdCloud. More information about Privileged Roles can be found on the Privileged Roles page.

Requesting MFA for ALL PSU employees

It is possible for your PSU to request MFA for ALL employees’ accounts in the NCEdCloud IAM Service by completing the MFA Opt-In form. When submitting the form, you can also request a date for the implementation of MFA. The NCEdCloud LEA Administrator role is required to submit this request.

Employees requiring MFA

It is possible to require selected PSU staff to enter a second factor (besides their password) when they log in to their NCEdCloud account, as discussed above. When you’re logged into the NCEdCloud RapidIdentity, submit a Requests request for the “LEA Enforce MFA” Entitlement by uploading their UIDs (State Employee numbers) in a .txt file. Here’s how to request MFA for selected employees: “How to Request Multi-Factor Authentication (MFA) for Select Employees”

Frequently Asked Questions

What is the purpose of NCEdCloud requiring MFA?

Since NCEdCloud privileged users (LEA Administrators, LEA Data Auditors, LEA Help Desks, LEA Student Help Desks, School Help Desks, and School Student Help Desks) have access to student and employee data, it will be mandatory for all users with any of these roles to use Multi-Factor Authentication (MFA) in the NCEdCloud IAM Service in order to access student and employee data. From 2019, NCDPI implemented multi-factor authentication for privileged users statewide. Visit the NCEdCloud MFA webpage for more information.

What is the time limit for entering the 6-digit code from my app into the OTP screen?

From the moment they are displayed, authentication applications generate 6-digit codes that are valid for 30 seconds. You will need to enter the code again when the timer expires. In the authenticator application, the code is visible for 30 seconds only, so it is best to wait until a new code is generated so that you can enter it into the NCEdCloud OTP login screen if you only have a few seconds left. You will be fully authenticated with MFA once you enter it into the NCEdCloud login screen.

What is the process for setting up MFA One Time Password on more than one device?

Not a device, but your NCEdCloud ACCOUNT is tied to the One-Time Password (OTP). As a result, if you login the first time after MFA is implemented (or after an OTP Reset) and see the OTP Setup page, it is the QR Code and the AlphaNumeric Code underneath that link the NCEdCloud MFA to the 6-digit code provided by your authentication application (Google Authenticator, RapidIdentity, GAuth, etc.). When it comes to providing the same information to authentication apps – as long as they are taken from the same OTP Setup page – the QR code and AlphaNumeric Code are “equal”. Your iPad or Windows machine can therefore be logged into using the same authentication app you have on your phone.

You can use a desktop or browser authenticator app on more than one device if you have it installed on multiple devices. Each instance will require you to enter the same alphanumeric code (write it down or take a picture with your phone) you got from the original OTP Setup Page. Installing the app on your phone, however, will make it easier to find your 6-digit code if you’re using multiple devices.

What are the requirements for Multi-Factor Authentication (MFA) in NCEdCloud?

The NCEdCloud RapidIdentity portal will require MFA and a One-Time Password (OTP) for all PSU employees with NCEdCloud privileged roles (LEA Administrators, LEA Data Auditors, LEA Help Desks, LEA Student Help Desks, School Help Desks, or School Student Help Desks), effective November 2019.

A number of PSUs are requiring MFA for selected employees who handle privileged data (Finance, HR, student data, etc.), and in some cases for ALL employees who access online resources in response to the increase in phishing scams and the rising cost of cybersecurity insurance.

What is the benefit of the NCEdCloud MFA if I need to use it every time?

One-Time Passwords (OTPs) refer to a 6-digit passcode that can be used repeatedly (one time), not something you only enter once. Every 30 seconds, a new valid password is generated for your account. This prevents anyone from looking over your shoulder and seeing your six-digit code, or a “hacker” from capturing what you enter and reusing it at a later date. In order to make your login more secure, it adds a “second factor” in addition to your password. In the case of NCEdCloud, it is usually only implemented for user accounts with access to multiple users’ data, or information with a higher level of risk – such as student and employee data.

Do I have to use my personal phone to generate the MFA One-Time Password?

If you have one of the privileged roles, you can obtain the 6-digit code you need to enter to login to NCEdCloud. See the NCEdCloud MFA page for more information.

If you want to access the NCEdCloud IAM Service, you need to install the Chrome extension “GAuth Authenticator” or another desktop or browser app.

Installing a mobile app on your phone makes it much easier to log in to NCEdCloud no matter which device you use during the day, especially if you use multiple devices. The authentication applications (e.g. Google Authenticator, RapidIdentity) run on your phone and do NOT use SMS (text messages) to obtain the 6-digit code. With the authentication app, there are no charges to your account or data usage when you scan the QR code on the OTP Setup page.

Can I set up MFA without a mobile phone number?

In both Google Authenticator and RapidIdentity apps, you receive a valid 6-digit code (it isn’t texted to your phone) via a time-based one-time password (TOTP) algorithm on your mobile device. You will not be able to share or change your phone number with anyone while the application runs on your phone, nor will you be charged any fees. However, some authentication providers might require you to enter your phone number when you sign up.

What is GAuth Authenticator and how do I use it?

Using GAuth Authenticator on Chrome, you can access NCEdCloud using your 6-digit OTP without using a mobile phone or entering your phone number. If you use Chrome to access NCEdCloud, then you can use GAuth to provide your 6-digit OTP. The NCEdCloud MFA page at /multifactor-authentication-mfa, or under the Opt-In Features Menu at the top of the page, contains more information about GAuth.

What is the frequency of entering my OTP?

You need to login to NCEdCloud once a day. Your OTP (6-digit code) is a part of the login process, so you must enter it on the third screen of the login process if you are typically logging in more than once (you use different computers, tablets, etc.). In the third screen of the login process, you must enter your OTP. You only need to log in (and enter your OTP) once if you use the same machine all day.

User’s Guide for Authentication Apps

In order to use MFA to access NCEdCloud, users need to download an authentication app for their mobile device or browser (Chrome) in order to set up their One-Time Password. Select the appropriate application below (e.g. Google Authenticator, RapidIdentity, GAuth Authenticator) and follow the instructions accordingly. Links to each application are provided in each set.