Atrieve Email Multi-factor Authentication
What is Atrieve's Email Multi-factor Authentication (MFA)?
With Single Sign-On we reduced the number of login credentials for a user thus Increasing productivity with one-click access, as well as providing simplified user management. Atrieve's built-in Email MFA (Multi-factor authentication) provides an additional layer of security, requiring that employees provide an additional means of authentication.
MFA, which requires that users authenticate with at least two factors, can reduce the risk of identity compromise by as much as 99 percent over passwords alone, so this improvement is key to preventing attacks and securing your district's personal and operational data.
When Atrieve Email MFA is enabled, employees will be required to enter a unique time-based numeric code before being logged into any Atrieve product. The code will be sent to the employee’s email address, and until they enter in a valid code, they will not be authenticated to any Atrieve product, and their session will not be active. At this time, Email MFA can only be enabled for the entire district, not on an individual user basis.
Does our district have to use Atrieve Email MFA?
No, Atrieve Email MFA is not required to be used with the Atrieve 21.02 release. This is a built-in add-on security feature that each district can choose to enable or not, whether you are hosted by PowerSchool or have Atrieve on-premise. Atrieve Email MFA can be enabled at any time in the future.
How do I enable Atrieve Email MFA?
- Ensure ALL staff have a correct email address in LDAP, OpenLDAP, or Atrieve HR
- Open a technology support case requesting Atrieve Email MFA to be enabled through the Support Case Portal in the PowerSchool Community.
- Once the request is received, the PowerSchool team will schedule a date with your district to enable Atrieve Email MFA.
Where does the service look for my email address?
- LDAP users
The authentication service will look at the employee’s Active Directory record for the email field. If no valid email address is found, the service will next look for the employee’s email address in Atrieve HR.
- Non-LDAP users
The authentication service will look for the employee’s email address in Atrieve HR.
How is my email address used?
Once a valid email address is found, a unique MFA code is sent to the email address. The user needs to enter the code sent to their mailbox into the ATrieve Email MFA login prompt to proceed.
What happens if the system cannot find a valid email address?
If the system cannot find a valid email address, the user will not be able to log in. An error message will be displayed that states:
Your email address (email@address.com) is not valid, please contact your administrator.
What is the system workflow for authentication with Atrieve Email MFA?
What does the MFA email contain?
|
|---|
Dear MFA User Here is the code you need to login to your PowerSchool Atrieve account: 8 9 2 7 4 2 This code is active for 5 minutes. The code is required to complete the login. No one can access your account without access to this email. If you are not attempting to login then please notify your system administrator of the login attempt. Thank you, PowerSchool Atrieve Team |
What does the Atrieve Email MFA login prompt look like?
What is the expiry time for the MFA codes?
The default expiry time for a generated MFA code is 5 minutes. If an end-user generates a new request within 5 minutes, the same code will be sent to them again. After the the 5-minute expiry, a new MFA code is generated for the end user.
What happens if I don’t enter the code in time?
If you don’t enter the code in time, you can request a new one via the same process.
What happens if I enter an invalid code?
If you enter an invalid code, you will be redirected to the MFA prompt again.
Can I use SMS text messaging instead of email?
No.
Can I use 3rd Party Authenticators such as Google or Microsoft?
With Atrieve 22.02, 3rd party authenticators are supported with Google and Microsoft.