Multi Factor Authentication

What is Multi Factor Authentication (MFA)?

Multi-factor Authentication (MFA) is an authentication method that requires the user to provide two or more verification factors to gain access to an internet-based resource. MFA is a core component of a strong identity and access management (IAM) policy. Rather than just asking for a username and password, MFA requires one or more additional verification factors, which decreases the likelihood of a successful cyber-attack.

Why are we introducing MFA on the Portal?

There are two key reasons why MFA is required on the Portal:

  • Sustrans is serious about protecting both it’s own data and that of its partners, and has as a result gained Cyber Essentials accreditation. A key step to maintaining the accreditation is ensure MFA is used across all systems.
  • MFA, as part of wider data protection and website security requirements, is now often written into the conditions of funding for some organisations with which Sustrans is a partner.

I’m an external/partner user, so what does this mean for me?

The result of the MFA requirement for you will be as follows:

  • At first login after the rollout, you will be asked to confirm or enter the a phone number that can be used for MFA, and select which authentication method you would like to use by default – Phone, Email or Authenticator App.
  • You will then be asked to enter a code sent to you via your chosen authentication method.
  • At every subsequent login, you will be asked to enter a code sent to you via your chosen default MFA method.

If you are unable to authenticate by your default method, you will be able to switch to a secondary method. You will be able to change the default MFA method at any time, but only once you have successfully logged in using MFA.

Which phone and email address will be used for authentication?

When setting up MFA, you will be asked to enter a suitable phone number, regardless of which method you choose as your primary Authentication method. It is recommend that this is a mobile phone number, but whatever number you use it must not be for a phone that you share with others. You will be able to change that phone number at any time when logged into the Portal.

If for some reason you do not have a number suitable for MFA authentication via SMS/voice. you will be able to declare this and Phone authentication will be disabled for both primary and secondary (back-up) authentication options.

The email address used for authentication will be the one you set-up your Portal account with. Strict conditions are in place for changing the email address, and so please assume that this cannot be updated.

But I don’t have a mobile phone

If you do not have a mobile phone, you can still use phone as your authentication method, as the codes can be provided via automated audio through a landline.However, you should only use a landline number if the number is not shared with others.

Alternatively, you can use Email as your authentication method.