Multi-Factor Authentication (MFA) Service

Price: $2.23

Unit of Measure: Usage Based

Pricing Type: Fixed

Billing Cycle: Monthly

Service Lead: Jason Howze Jason.Howze@vita.virginia.gov

Description:

Multi-Factor Authentication Service (MFA) is a method to securely control access for agency applications on the network by including an additional layer of authentication.  In addition to a standard username and directory password, MFA prompts applications to require a One-Time Password (OTP) sent to the end user via Short Message Service (SMS) text. This service allows either internal (COV domain) or external (AUTH domain) partners (i.e. counties, business partners, vendors, etc.) to more securely access agency applications. The service enables agencies to additionally control application access via group membership management using the COV Account Center.

Customer applications must be technically capable of working with MFA.  Eligibility will be determined through the work request process. Each potential user must be associated with an active directory group in the COV domain or the Active Directory Services (ADS) identifying users with access.  The initial set-up costs for the service will be determined in the work request process.

The supplier will implement MFA for a subscribed eligible customer.  In addition to the application default access criteria, all end users accessing the application will be required to enter an OTP delivered to the users’ cellular device.  In order to receive OTP via SMS, end users must have a cellular device and service capable of receiving SMS messages.

Multi-Factor Authentication Service Costs:

  • There is an initial set-up charge for configuring the MFA service for an application.
  • Ongoing charges: $2.23 per user per month
  • The number of users is the derived on the day of billing

The AITR and their assigned VITA customer account manager (CAM) guides the customer through required collaborative discussions, forms completion for the service offering and engage the service owner as required.

How to Order

Order via Work Request. Requirements forms for standard and custom work requests can be found in the Service Catalog Form Library.

Need help?

Frequently Asked Questions (FAQs)

Click on question to show or hide answer.

Multi-Factor Authentication Service is a framework that provides multiple levels of authentication for agency applications. In addition to a standard user name and directory password, applications can also require a One-Time Password (OTP) sent to the end user via SMS text. End users requiring authentication can be located in either the AUTH or COV domains. This service will allow agencies to securely display their application for external access (i.e. counties, business partners, vendors, etc.). The agencies control access to the applications via group membership management using COV Account Center.

Agencies need to submit a request for MFA when they wish to add OTP capabilities to application authentication.

An agency must request initial application, authentication, and authorization setup through the work request process, using the custom work request form.

There is an initial set-up charge for configuring the MFA service for an application. Recurring charges are based on the number of users added to application groups. Please see the VITA IT service catalog for pricing information. MFA recurring charges are separate and distinct from charges for other services such as EADS and WCS (SharePoint).

Answers to the questions below should be included in your custom request form:

  • What population of users requires MFA? MFA can be used with COV users, External VITA Identity Manager (VIM) users, or both.
  • If the application will be accessed by external users, is this a new application or a modification to an existing application? If it already exists, is it part configured for the External Authentication Directory Service (EADS)?
  • Are new application security groups required?
  • Should any of the external application security groups be published to the VIM portal?
  • If new groups are required, who should be listed as owners in COV account center?

No. MFA includes hardware, hardware maintenance, software, and software maintenance. Each agency is responsible for ensuring license compliance for their applications.

If an application is published to the VIM Portal, external users will request access by selecting the application and then submitting the request using the VIM portal. The request workflow will send an email to the approver(s) designated by the agency. Agency approvers will approve or deny the request, then the workflow will take appropriate actions based on the approver's response and the result will be emailed to the external user. If the application is not published to VIM, external users will need to coordinate with their agency application contact to be added to the appropriate group(s).

Each application group will have one or more people designated as owners of the group in COV Account Center. The group owners can add/remove people as needed using COV Account Center. The group owners will also be responsible for approving or rejecting requests from non-owners for inclusion in the group. The approval workflows will be the same as those used for management of any other group in COV Account Center.

COV users can update their profile to include a mobile phone number using COV Account Center. External users can specify their mobile phone number in their VIM user profile.

EADS allows external users access to agency applications. MFA provides the capability to add One-Time Passwords (OTP) to the authentication.

. The following questions can help narrow down the cause of the issue:

  1. Is this a COV user or an external VIM user?
  2. If a COV user, can they access other COV-based applications? If not, then normal account troubleshooting is required.
  3. If a VIM user, can they logon to VIM? If not, then normal VIM account troubleshooting is required.
  4. If the user is able to logon to other things, but not the MFA-enabled application, then make sure the account has been added to an appropriate group. For AUTH-based applications, the account must be in an AUTH group. For COV-based applications, it must be in a COV group. Membership of the MFA group is managed by the group owners listed in COV Account Center. The user will need to be directed to their agency application point of contact.
  5. Does the account have a valid mobile phone number? If the mobile phone number is not present, the user may update it by the following the appropriate steps for COV or VIM. There is a separate KB for each. COV user makes the update in COV Account Center, while VIM user makes the update in VIM.
  6. Is the user receiving the one-time password? If not, and the mobile phone is valid, then the ticket needs to be transferred to the networking group that manages the F5.
  7. If the user is receiving the one-time password, but is still not being authenticated to the application, then the ticket needs to be transferred to the networking group that manages the F5.

Use process to get a new One-Time Passcode.
One-Time Passcode

Send VITA Onestop an email: vitaonestop@vita.virginia.gov to collaborate or handle your order.