Multi Factor AuthenticationIn February SECV started to implement a Multi-Factor Authentication (MFA) system. The system we are using is called FortiAuthenticator by Fortinet. Some of you may have some questions regarding the MFA system, so hopefully this will assist with some of those commonly asked questions.Why are we doing this?MFA is used to enhanced security to gain access to our network from the outside world. In a 24-hour time frame we have received over 10,714 VPN requests where only 68 of them were actual employee/vendors. If one of these 10,646 attempts successfully verified with our authentication system, this could impact our network along with services provided to our customers.How does it work?Our MFA is tied into our Active Directory (AD), AD is what allows your login to access shared files, Email, Spark, and several other systems behind the scene. Depending on groups that your account is associated with, determines if you have VPN access or not.Everyone should have either a Fob or a Smart Phone app loaded which provides a six-digit token value. These token values are calculated by the current time along with the serial number associated to the Fob/App. This value changes every minute. Since they use time, our appliances receive the time from Fortinet’s public time server.When you login to VPN, our firewall, passes your username and password to the MFA.The MFA does multiple steps:1. Checks to see if your account is in the correct AD Group2. Checks to see if you provided the correct username and password3. Sends a request to the Firewall for your token valueWhen the firewall sees the message asking for your token value (to the right), this is what makes GlobalProtect ask for your verification code. At this point your account goes to a “Pending” status. You have one minute to enter this code, before the firewall time’s out, and will start the process again.How many times can I use the same token value?The token value is a One-Time value. Once you use it, you cannot re-enter the same value. The MFA does track what value was used, and will not allow you to re-enter the same value.What do I need to do if I misplaced/lost/forgot my fob?If you are working from home, and you lost your fob, do the following steps:1. Open your Webmail or your Outlook client2. Open a web browser, and go to “https://mfa.secvcorp.com”3. Acknowledge the Terms and Disclaimer4. Enter your username and password5. You will be prompted to “Enter your token Code” instead click “Lost my Token”6. Click “Switch to email token authentication”7. Click “Ok”When you open GlobalProtect and click “Connect”, this will trigger an email from MFA@secv.com to be sent to you. This will continue to occur until you enter your fob token code. If you lost your fob, once you VPN in, re-do steps 2, 3, 4, and 5. But now click “Disable my account”. An email will be sent to the MFA admins advising of a lost fob, and we will work with your local IT staff to get a new one to you. Once you click “Disable my account”, you will no longer be able to VPN in until you get a new fob.Who do I reach out for support?If you need additional support, please reach out to your local IT staff. They will work with Engineering to resolve the issue. Also check out our overview slides on the intranet. This can be found under the CSR, TSR, and Engineering drop-down lists.Written by: Randy Trometter – Sunbury IT ManagerCONNECTIONS Q1 2024 3