Multi-Factor Authentication (MFA)
Effective September 2, 2016, CMS is updating the Enterprise Identity Management (EIDM) Portal to begin requiring a new multi-factor authentication (MFA) process whenever users log in to the myCGS Web Portal. MFA is the use of two or more different authentication factors to verify the identity of a user. One authentication factor is the password that goes along with your EIDM ID to get into myCGS. MFA will require a second, completely separate authentication method.
If you are an existing user of myCGS, you will need to register an MFA option in your EIDM account prior to September 2, 2016. Options for MFA include using "credential" software on your computer or phone, text message (SMS), voice message, or email. You can register up to five devices for MFA, and CMS recommends that you register at least two devices. It is strongly suggested that you use the free credentialing software as your first MFA choice. If you are unable to use the credentialing software (for instance, because you use a shared computer), then text message is suggested. Using email should be your last resort for authentication, as it is both the least secure and the slowest method for receiving access authentication, and therefore may cause delays in the log in process.
You will need MFA software if you choose to receive your MFA credential on a computer or laptop or a mobile device. You will be required to download the MFA software from Symantec and install it in your device of choice. To download the desktop software for Windows or Mac, navigate to https://idprotect.vip.symantec.com/desktop/home.v and follow the instructions. If using an iPhone, Android, Blackberry, or other mobile device, use your device to navigate to https://m.vip.symantec.com/home.v and follow the instructions. The text message, voice message, and email options do not require a software download.
You can register your MFA devices in EIDM now. While you will not be required to use MFA until September 2, it is important to complete the registration of your MFA option prior to the September 2 implementation. Failure to register an MFA option prior to implementation will result in delays accessing myCGS. Note that if you do register now, you will not be required to actually log in using MFA until September 2.
If you are registered for myCGS in an Approver role (Designated Approver, Authorized Official, or Backup Authorized Official), it is especially important that you register your MFA option by September 2, as End Users in your organization may have issues with MFA if their Approvers are not registered.
For detailed instructions on how to register your MFA device(s), CMS has provided an MFA Quick Reference Guide.
In order to assist you with registering your MFA device, CGS has put together a list of Frequently Asked Questions below. Additionally, CMS has produced an EIDM Training Video on YouTube with instructions about MFA registration and use.
Frequently Asked Questions (FAQs)
- What is Multi-Factor Authentication (MFA)?
MFA is an approach to security authentication that requires you to provide more than one form of a credential in order to prove your identity. CMS policy specifies that all users who request access to a CMS Application designated a level of assurance (LOA) 3 security rating must be identity proofed to LOA 3 and are also required to be authenticated using MFA. CMS uses Symantec's Validation and Identity Protection (VIP) service to add a layer of protection for your online identity. Symantec's VIP utilizes government-certified technology and techniques to provide this multi-factor authentication.
- Are there any specific MFA service providers? What MFA devices can I link to my CMS user account?
Yes. There are various MFA service providers. Symantec is the MFA service provider for EIDM accounts. Symantec provides validation and identity protection using one of the following: a computer-based application, smartphone-based app, one-time email password, or one-time SMS password.
- How does CMS use MFA?
CMS uses MFA to grant access to protected CMS applications such as myCGS. You will be asked to enter your username and password and a One Time Password (OTP) that is generated by Symantec VIP software to gain access to myCGS. The OTP can be generated by a free Symantec application that can be downloaded to your desktop or smartphone, or alternatively, you can receive an OTP via a Short Message Service (SMS), email, or voice phone call once you have registered your phone in EIDM.
- How do I get an MFA credential?
You will be prompted to register an MFA credential when you request access to myCGS, and you have not already registered an MFA credential in EIDM. You will be given a choice of MFA token delivery methods. The primary MFA token delivery method is to download software and install it on your computer or a mobile device. Alternatively you can set up SMS, email, or voice token to deliver your MFA credential.
- Where can I get the MFA software?
You will need MFA software if you choose to receive your MFA credential on a computer or laptop or a mobile device. You will be required to download the MFA software from Symantec and install it in your device of choice.
To download the desktop software for Windows or Mac, navigate to https://idprotect.vip.symantec.com/desktop/home.v and follow the instructions.
If using an iPhone, Android, Blackberry, or other mobile device, use your device to navigate to https://m.vip.symantec.com/home.v and follow the instructions.
SMS OTP and Voice OTP options do not require a software download.
- How do I register for MFA if I receive an error when installing the software on my computer?
If you are having trouble downloading and installing the MFA software on your desktop or laptop, it is possibly due to your company's IT policy that disables users from installing any software on their company-provided machines. Check with your company's IT department for assistance. If your company does not allow you to install MFA software, one alternative is to use a mobile device that you control, or you can also use a voice call to obtain the OTP.
- What if I can't use the desktop MFA software or the mobile phone MFA software?
EIDM allows you to set up a voice or SMS delivery method for your OTP that does not require an MFA software download. You can register a phone number and select SMS or Voice OTP, and then EIDM can register your phone number and delivery method with Symantec. After your MFA is activated, when you request access to myCGS through EIDM you will receive either a phone call or text message that contains your OTP, depending on the delivery method that you select.
The SMS and Voice OTP expire within 30 minutes of when they are sent, so please make sure you provide a phone number that will be accessible to you during your typical work hours. As an example, do not use a residential phone number if you will normally log in from your place of employment.
- I am being asked to type a Credential ID. Where do I find the Credential ID?
The Credential ID is the 12-digit alpha-numeric number on the top of the soft token that was downloaded to your device from Symantec. The Credential ID begins with four letters and ends with eight numbers. In the example below, the token displays the credential ID as VSST57144377.
- How do I register additional devices to my user account?
You can register up to five MFA credentials in your user account. Additional MFA credentials can be added to your account after you have been prompted by EIDM to set up the first MFA credential. The "Register your Smartphone or Computer" hyperlink on the "My Profile" page will appear once you have successfully set up your first MFA credential. You can click on the link and add additional MFA devices to your user account.
Refer to the MFA Quick Reference Guide for additional instructions.
- If my Credential ID is copied or stolen, can someone else access my CMS EIDM User account?
No. A Credential ID cannot be used to access an EIDM user account.
- How many MFA devices can I link to my EIDM user account?
EIDM allows you to link a maximum of five distinct devices which can either be a computer or a smartphone.
- Will I be charged cell phone time each time I use Symantec VIP MFA on my mobile device?
It depends on what delivery method you use. The Symantec VIP MFA software is free. Once the Symantec VIP MFA application is downloaded and installed on the phone it does not utilize any cell time to generate the six-digit security code. Cell or network traffic is used to download the application to one's mobile device. There are no recurring charges associated the use of either software option. If you choose not to use the software option and select SMS or Voice OTP, carrier charges may apply.