Risk Based Multi-Factor Authentication (Risk Based MFA) Reference Guide

Risk Based MFA is a way of enhancing the security of a system or application by helping to prevent unauthorized access to it. Risk Based MFA prevents unauthorized access to commonwealth systems by adding an extra step to the basic log-in procedure.

Enrollment Steps for Initial Registration Process:

The first time you access any application protected by Risk Based MFA you will need to register:

Enter your CWOPA userID and password.
From the dropdown, select and answer three security questions.
Choose a security PIN. This security PIN will not expire until you choose to change it.
Select the device type – Public/Private. If Private, a bit of security code (soft token) will be loaded onto the device and locked by the security PIN you selected.
Once done, the user will be notified via email that they have been successfully enrolled in the Risk Based MFA solution and will be granted access to the requested application.

Standard Login Steps on a “Private” Device:

Commonwealth user accesses application from a remote location and a previously used machine that was marked “Private”:

User enters their userID and password to access the application.
Upon entering the correct information, the user enters the same security PIN configured during enrollment in the field provided.
If correct, Risk Based MFA unlocks the soft token on the device and the user is granted access to the requested application.

If the user’s session is terminated or times out, the user is requested to re-authenticate (repeating steps 1, 2, 3).

Standard Login Steps on a “Public” or Unknown Device:

Commonwealth user accesses application from a “Public” or unknown device (the device does not have the soft token on it):

User enters their CWOPA userID and password to access the application.
Upon verifying the userID and password, the user is prompted to select either:

• Answer security questions – The system will present your registered security questions.

• A one-time passcode – The system will send a one-time passcode to your registered phone number.

User will select Private or Public computer option – User will be notified via email when the security option selected is Private upon enrollment.
User enters their security PIN in the field provided.
Upon successful validation of the security PIN, the user is granted access to the application.

If the user’s session is terminated or times out, the user is requested to re-authenticate.

Forgot Security PIN Steps on a “Private” Device:

Commonwealth user tries to access the requested application from a “Private” device but has forgotten their security PIN:

User enters their CWOPA credentials. (At this stage, the soft token already exists on the user’s machine.)
User is prompted for their security PIN. If the user has forgotten the security PIN, the user clicks on the “Forgot PIN” link.
The user is requested to either answer their security questions or is sent a one-time passcode to their registered smart phone, depending on their choice.
User creates a new security PIN and confirms it. The soft token is reset with the user’s new security PIN.
The user is granted permission to the application.

Note: These steps are only applicable if the user selected the machine as “Private” during the previous login attempt.

Forgot Security PIN Steps on a “Public” Device:

Commonwealth user tries to access the requested application from a “Public” or unknown device and has forgotten their security PIN:

User is prompted for their CWOPA credentials. There is no soft token on the device.
User answers their registered security questions or is sent a one-time passcode.
User will select the computer type – Public/Private.
User is prompted to provide the security PIN. If the user has forgotten the security PIN, the user clicks on the “Forgot PIN” link.
The user is allowed to create a new security PIN.
The user is granted access to the application.

Note: These steps are only applicable if the user selected the machine as “Public” during the previous login attempt.