What is MFA?
Multi-Factor Authentication or MFA is combining the different factors (something you know, something you have, and something you are) into the authentication process. In our case we are using 2 factor authentication, something you know (password) and something you have (mobile phone or access to the device with the registered Chrome Extension), for authentication.
We are doing so for multiple reasons but the two primary reasons are the safety and security of our district data as well as to meet cyber security insurance requirements.
What systems will require MFA?
Currently Google, Office 365, and Outlook are the main systems that will require MFA. There are some other systems that admins and office staff have access to like the camera system that will require MFA. Once we get the entire district staff setup with MFA we will begin to work on the other online software we use to protect those as well.
Note: Any system that uses Google as the identity provider will require MFA. Some of those systems are Employee Access, Remind, Embrace, and Skyward (once all district staff have enrolled in MFA).
What if you do not have a mobile phone or do not wish to use your mobile phone?
If you have access to a laptop/Chromebook then you can register the Chrome extension on it. This way you have some mobility and can access the systems from outside the district.
How many devices can I register for MFA?
You can register up to 5 devices so if you move between buildings or computers you can add 5 of those.
Can I use both the Chrome extension and the mobile app?
Absolutely, in fact it is recommended, that way you have multiple options and more flexibility (resulting in less calls to IT 😉).
Will I be prompted every time I access the system? Why am I not prompted when I log into a system?
If you have logged into your browser and you have an active authenticated session you will not be prompted when accessing an online MFA protected software. The one exception is district email since that does not use Google or O365 to authenticate but it is a work in progress and will eventually be capable of Single Sign-on.
I clicked allow but I was unable to login what happened?
To login there is a finite window to which the MFA prompt is presented, you respond to the prompt, and the response is sent back to the server. If that time takes longer than the authentication window is open the connection will fail. This is typically due to mobile phone coverage or latency between our systems and Silverfort’s servers. Just click login again and you should gain access without having to MFA again since the systems already see a successful MFA authentication from your device.
Note: If you receive an MFA prompt this means your password was entered correctly so that is not the issue.
I am unable to login to the system and I am not getting an MFA prompt. Why is that?
Typically, this is caused by a bad password so check to make sure you typed it correctly. It is also possible that your password has expired, if you have not changed it within the past 90 days there is a good chance this is the issue.
I am not trying to access any system so why am I being prompted?
If you leave for the day and stay logged into your desktop/laptop you will have active session open and those sessions only last a few hours at which point you will need to MFA again. Meaning you may not be trying to access something but your computer is. In this instance you can block the connection or ignore the prompt either way the connection blocked.
Another example is, if you have district email on your mobile phone. MFA prompts can vary depending on your phone’s make, model, version, and settings therefore you may be prompted occasionally or whenever you open up your mail app (accessing district email or not). If you find that you are being over prompted please reach out to IT for assistance.
What do I do if I forget my mobile phone or do not have access to my device with the Chrome extension?
If it is during office hours (7:30 – 4:00) you can call IT at 4020 and we can assist you.
Is the district tracking our personal phones with this Silverfort application?
No. The only thing that we see in our system logs is whether or not a device said "Yes" or "No" to the MFA prompt.
Does the Silverfort app on my phone use a lot of data?
No. We have noticed minimal data usage for the application. less than 5MB per month.
What types of data does the Silverfort app on my phone have access to?
Below is copy and pasted from an excerpt from section 2.2 of document called: "Silverfort - Summary of Collected Customer Data". Click that link to read the entire four page document or see below for the excerpt:
This data relates to step-up authentication events (where Silverfort is required to verify a user’s identity in order to prevent unauthorized access), only for users pre-defined by the customer, and only in cases where the customer chooses to use an authentication method that requires such external communication (e.g., authentication via push notifications to the user’s mobile phone, which is located outside of the customer’s network). For each such step-up authentication request, user enrollment request or user notification, Silverfort’s cloud messaging service processes the following information:
Date and time of access
Corporate username
Corporate email address
Application being accessed
Company name
Data subjects: Users (such as employees and contractors) that the customer specifically decides to protect with Multi-Factor Authentication using Silverfort’s platform, in a way that requires communication outside of the customer’s network (for example, via push notifications to the users’ mobile phones).
Purpose: The data is used to request relevant users to prove their identities, using step-up authentication (for example, by approving a notification on the user’s mobile phone), and prevent cyber threats such as account compromise and unauthorized access. This data is only sent to Silverfort’s cloud messaging service if and when it is required in order to communicate with the user’s authentication factor (e.g. mobile phone) which is located outside of the customer’s corporate network, or for user enrollment, notification, or diagnostics. Such messages only contain the minimal data required.
Subprocessors (all subject to DPAs): Microsoft (cloud infrastructure), Google (mobile notifications)
* If the customer prefers to use alternative authentication methods, such as FIDO2 or the Silverfort desktop authenticator, step-up authentication can be handled on-premises only, without sending data to Silverfort’s cloud messaging service.