Multi-Factor Authentication (MFA)


Multi-factor authentication can be enabled for accounts accessing Axiom and Portals. Multi-factor authentication (MFA) is a security mechanism that requires access to more than one device (typically a computer and a phone) to access an application. It is becoming increasingly common for websites with sensitive content such as banks and social media services to encourage, or even require, it of their users. Veracross uses time-based one-time passwords (TOTP), an industry standard mechanism supported by many authenticator apps.

If you choose to use MFA, you need to provide your own recommendations to your constituents on which authenticator app to use, e.g., Google Authenticator, Authy, Duo, 1Password, or LastPass.

If you decide that you want to require some or all of your accounts to use MFA, we recommend:

  1. SysAdmins should first enable MFA for themselves and then a small group of users.
  2. Make the MFA status optional or transitional at first, then after a period of time make it required.
  3. Communicate to your constituents well ahead of time about multi-factor and then when each major update comes (e.g., when moving from transitional to required).

The Details

There are several MFA statuses available on the person account record:

  • Not Allowed: The default, in which case users do not see any change
  • Optional: users can enroll if they wish via a link in Axiom and Portals, but will not be prompted during login
  • Transitional: users are prompted — but not required — to enroll at every login
  • Required: users are required to enroll on next login
  • Enrolled: users are enrolled in MFA and must use an authenticator app to log in

Enabling MFA

Anyone with a Sys_Admin1 security role can enable, edit, and remove individuals from MFA.

  • For Current Users: You can batch update the “MFA Status” field on the person account detail screen. For instance, batch update MFA status to “Transitional” for a period of time, then batch update it to “Required.”
  • For New Users: Set the “Default MFA Status” on the Security Roles query.


A user who is not enrolled in MFA cannot impersonate a user who is enrolled. This is to avoid users with only one security check accessing information that may require two security checks with MFA.


Related Articles