Setting Two-Factor Authentication Rules

Previous Topic  Next Topic 

If your agency already uses two-factor authentication, check out our Two-Factor Authentication User's Guide for information on enrolling in two-factor authentication and its use! 

The AWARDS Two-Factor Authentication Rules feature, configured within the database's Business Rules, adds another layer of security to complex passwords and good user behavior by creating a token on a personal iOS or Android mobile device that must be used to log in.  If, with two-factor authentication enabled in your AWARDS database, a password was compromised and an attacker attempted to log in, they would be unable to generate the required code without access to the associated mobile device.

  NOTE: A token is an authenticator in the form of a mobile device, where the user's interaction proves that the user physically possesses the device.  The token is used in addition to a password. It acts like an electronic key to access something confidential data.

IMPORTANT! Consumers are responsible for securing their own protected health information. Two-factor authentication only applies to STAFF logins. CONSUMER logins are exempt in order to ensure that consumers are able to access their data without requiring a mobile device for authentication purposes. 

Getting Started with Two-Factor Authentication

To make enabling two-factor authentication as seamless as possible, system administrators have the ability to enable the feature ahead of enforcing it, thus ensuring users have an opportunity to configure it before potentially being locked out of AWARDS.  Further, in getting started with two-factor authentication, we recommend system administrators utilize the following workflow, allowing 1 to 2 weeks for the full process to be completed.

IMPORTANT! Steps 1 and 2 can be completed in whatever order you prefer; however, they should be completed as close to simultaneously as possible

   STEP 1:  Set "roll out" and "go live" dates and communicate the upcoming change with your users

We recommend an initial period of 1 to 2 weeks for users to get set up with and enroll in two-factor authentication.  Choose the date on which you'll begin the roll out period, and then use the recommended timeframe to determine your go live date.  Once you have both dates chosen, communicate that and the details of the change to all staff users with AWARDS logins.  (Consumer logins are not impacted by two-factor authentication.)

 Click here for a sample announcement you can customize and send to your users.

  STEP 2:  On the roll out date turn on two-factor authentication in AWARDS, but don't yet "enforce" it

This is the kick-off to your two-factor enrollment/grace period.  Complete the configuration process, detailed under Configuring Two-Factor Authentication in AWARDS, below.  During this process, be sure to set the two-factor setting to "On - Not Enforced."  When you're done two-factor enrollment will be enabled, letting users begin to get set up; however, users who do not do the setup immediately will not be locked out of AWARDS.

  STEP 3:  Confirm user enrollment ahead of the go live date and follow up if needed

Just before the go live date we recommend checking in to see how many of your users have completed the enrollment process.  To do, run the Employee ReportBuilder including a minimum of  "Name" and "Two-factor Configured" data variables.  (The two-factor data variable is located in the "User Login Information" portion of the ReportBuilder's options page.)  Use the ReportBuilder's filter, display, and summary options to get a detailed picture of enrollment efforts to date.  If you find that not everyone is ready for go live, some targeted follow up communication and/or reminders may be needed.

  STEP 4:  Flip the switch / begin enforcement on your go live date

Update your two-factor authentication settings in AWARDS using the process detailed under Configuring Two-Factor Authentication in AWARDS, below.  During this process, be sure to change the two-factor setting to "On - Enforced."  From this point forward existing users will no longer be able to login to AWARDS without using two-factor and will be prompted to re-authenticate upon first login, and new users will be prompted to enroll upon first login.

That's it, you're now good to go with two-factor authentication! Congratulations on taking this important step toward further securing your AWARDS database against unauthorized access!

  TIP: Looking for frequently asked questions about two-factor authentication?  Jump down to the bottom of this page!

Configuring Two-Factor Authentication in AWARDS

To configure two-factor authentication, whether turning it on or changing settings, complete the following steps from the AWARDS Home page:

    1. Click Administration from the left-hand menu, and then click System Setup.  The System Setup fly-out menu is displayed.
    2. Click Business Rules.  The Business Rules Menu page is displayed.

    1. Under "Global Settings for All Programs" click Two-factor Authentication Rules.  The Two-factor Authentication Rules page is displayed.

  NOTE: Included at the top of this page is read-only "Two-factor Configured By" information reflecting the last user to make a change to the two-factor authentication settings.

    1. Configure the fields and options on this page as follows:

  Two-factor Authentication - Click this drop-down arrow and make a selection to indicate whether two-factor authentication is enabled in your AWARDS database.  Available selections are:

IMPORTANT! During the initial implementation period for two-factor authentication, detailed using the Getting Started workflow steps listed above, be sure to select "On - Not Enforced."  Upon completion of the startup grace period, change this selection to "On - Enforced."

  Off - Not Enforced - The default value.  When selected, two-factor user enrollment is NOT enabled and the two-factor authentication feature is NOT enforced.  Database access is dependent ONLY on the password.

  On - Not Enforced - To be used during the initial two-factor authentication configuration / getting started period.  When selected, two-factor enrollment is enabled, letting users configure two-factor authentication; however, users who have not yet done the setup will not be locked out of AWARDS.  

  TIP: As noted in the suggested Getting Started workflow steps listed above, we recommend using the "On - Not Enforced" option for a period of one to two weeks to give users grace period to enroll  in two-factor authentication.  After that time this setting should be changed to "On - Enforced."

  On - Enforced - The highest level of security for your database.  When selected, two-factor authentication is turned on AND enforced.  New and existing users are presented with the user setup option once, and then moving forward upon AWARDS password reset.

  Remember Device for ___ days - In this field, type a value between 1 and 90 to set a period for which the device used to access AWARDS will be remembered.  Users who have successfully enrolled in two-factor authentication will have to re-enter authentication upon expiration of this period.  The maximum allowed value is 90 days.

    1. Click UPDATE to apply your changes.  A read-only confirmation page of the newly applied two-factor authentication rules is displayed.

  TIP: To make additional changes to the two-factor authentication rules at this time, click Return to Data Entry to re-open the page in data entry mode.

The process of configuring two-factor authentication is now complete.

Two-Factor Authentication Frequently Asked Questions

The following frequently asked questions provide details on the most commonly asked about pieces of the Two-Factor Authentication feature.  Click a question from the list here to navigate directly to the corresponding answer, or scroll through the full list of questions and answers below.

Are any users excluded from two-factor authentication?

How are authentication devices remembered?

What happens if a user can't enroll in two-factor right away during the agency’s roll out period?

What happens if a user gets a new authentication device?

Why is a user being asked to authenticate again?

Are any users excluded from two-factor authentication?

Yes, two-factor authentication only applies to STAFF logins.  CONSUMER logins are exempt in order to ensure that consumers are able to access their data without requiring a mobile device for authentication purposes.  Consumers are responsible for securing their own protected health information.

How are authentication devices remembered?

Devices are remembered when a user accesses AWARDS from the same browser and device.  If a user is using the same device and a different browser, or the same browser in private or incognito mode, re-authentication is required.

What happens if a user can't enroll in two-factor right away during the agency's roll out period?

Each time a user logs in to AWARDS on or after the roll out date set by your agency for two-factor authentication, he/she will be shown an enrollment pop-up until the enrollment process has been completed.  When the user sees this pop-up he/she can either choose to go ahead with the process, or temporarily bypass it and continue into AWARDS.  The Bypass & Proceed to AWARDS option will be available for a grace period of your agency's choosing (typically one to two weeks).  At the end of that period your agency will want to change the setting to "Enforced," in which case users will be forced to complete the enrollment process or they will not be able to login to AWARDS.

Why is a user being asked to authenticate again? 

Authentication is required when ANY of the following are true:

  The user has reached the number of days allowed by your agency for “remembering” your device (a maximum of 90)

  The user has reset his/her password in AWARDS under Password & Security

  The user's password has been reset by a supervisor or AWARDS administrator using Password Reset

  The user cleared his/her browser's cookies

  The user is using a different device/browser combination or using his/her browser in private/incognito mode

  Your agency's two-factor go live date has been reached (requiring users to re-authenticate upon first login afterward)

What happens if a user gets a new authentication device?

In order to change the device being used for two-factor authentication a user must change his/her AWARDS password under Password & Security - OR - have an authorized staff member reset the password using Password Reset.  Once the password has been reset the user will be asked to authenticate from the new device upon logging into AWARDS.

  NOTE: Resetting a password using the Forgot Password feature on the AWARDS login page DOES not reset two-factor authentication setup.