1. AWARDS
  2. User Guide
  3. Getting Started
  4. New User Resources

Enhanced Authentication/Auth0

Over the past several months, we've talked a lot about Multi-Factor Authentication (MFA), the use of Auth0, and the importance of a Primary Email Address in AWARDS. These things are all part of an Enhanced Authentication in AWARDS project, which is scheduled to be released very soon, with testing sandboxes to help you prepare!

The Enhanced Authentication project adds a more advanced layer of security to the login process - requiring you to authenticate yourself using either your email address or an authenticator app. You and your teams MUST prepare for this release and we encourage you to take advantage of the testing sandboxes we'll provide for you. 

Warning Important! If you do not prepare by adding a unique Primary Email Address to your AWARDS profile, you will be locked out of AWARDS when this Enhanced Authentication project is released, until someone can assist you. 

 

 

We acknowledge that some of this is complex and technical information. We've done our best to break it down into easy-to-follow guidance, and we've included a detailed (and growing) FAQ section at the bottom of the page. Never hesitate to connect with your Customer Experience Representative if you have any questions or need assistance!

 

Enhanced Authentication Testing and Release Timeline

Below you’ll find a general timeline from now until the release of Enhanced Authentication to all databases. Once we deploy and finish our internal testing, you will have a 2-week period to perform testing in your agency’s sandbox testing environment. We anticipate all testing to be complete and Enhanced Authentication released to all databases in Q4. 


I'm a Line Staff Worker. What Do I Need to Know?

To many of you, all of this information is a lot to take in. So what are the most important things you need to know and do?

  1. Make sure you have a Primary Email Address entered in your AWARDS account profile. If you don't currently have an agency Email Address, please work with your Program Director to determine what you should include as your Primary Email Address in AWARDS.


  1. Check with your agency or Program Director to learn what method of Multi-Factor Authentication (MFA) your agency has chosen to use, and make sure you're set up with that method.

 

For All Program Directors, Administration, IT Professionals, or Other Leaders, Please Review the Information Below

How to Prepare for Enhanced Authentication/Auth0

  • If your organization utilizes the Consumer Login functionality, confirm that all active consumer users have a unique Primary Email Address entered on their Face Sheet in the Email field.

  • Determine if your teams will use an Authenticator App or their Email Address - and prepare accordingly.

  • Work with your IT teams to prepare for sandbox testing:

    • Identify an internal team to manage the testing process.

    • Assess your technical environments (desktops, tablets in the field, mobile phones, etc.) and plan for your testing to include all scenarios.

    • Determine how you will work with all internal teams to ensure complete testing.

What to Know about the Testing Sandboxes

  • The sandbox testing period will run for approximately 2 weeks.

  • Testing sandboxes will be a point-in-time copy of your live database, with no connection/syncing between your live database and the sandbox from that point forward.

  • Login credentials active in your live database at the time of the copy will be what users utilize for testing. 

    • Any user accounts created in your production environment after the sandbox copy has occurred will need to be re-created in your sandbox environment.

  • There will be a clearly visible indicator on all screens in the texting sandbox alerting users to the fact that this is NOT your live database. Live data entry should NOT be completed in this sandbox environment.

What to Expect with Enhanced Authentication in AWARDS

  • Existing username and password combinations will still work as expected.

  • All users will need a unique Primary Email Address saved in their AWARDS account.

  • Users will be able to log in using either their Username or Email Address.

  • Multi-Factor Authentication (MFA) will be required for all users - via Email Address or Authenticator App.

    • MFA will be adaptive, meaning AWARDS will recognize users on devices, which will limit the frequency of authentication requests.

  • There will be a new workflow for the "Forgot Login/Password" functionality, aligned with the MFA feature.

  • Future releases will incorporate options for Text as well as Single Sign On (SSO).

As we get closer to the testing sandbox period, we will provide additional resources like training videos, tip sheets, and webinars, as well as more detailed information regarding how to access the sandboxes. We know this will be a big change for all AWARDS users and we are committed to ensuring you are prepared and ready for the new login functionality. Thank you for your ongoing partnership as we continue to upgrade AWARDS to meet your needs. 

 

Frequently Asked Questions 

Auth0 Basics

  • What is Auth0?

Auth0 is an identity and access management platform that provides a secure and customizable solution for user authentication, authorization, and identity management. you've likely used Auth0 to access other applications in your personal life without even knowing it!

  • How will AWARDS plan to use Auth0?

We are working to replace our existing authentication with Auth0 for all user accounts across all databases.

  • Why do organizations use Auth0? Why did Foothold decide to implement Auth0 in AWARDS?

Organizations use Auth0 to enhance security, streamline authentication processes, and provide a seamless, consistent experience for users across various platforms and applications. We decided to implement Auth0 into AWARDS because it gives us access to additional elements of functionality that cannot be accomplished today without significant effort, such as additional authentication options, SSO, scalability, new integrations, and adaptive MFA. 

Email Requirements for Users/Logins

  • Are there any requirements to implement Auth0?

Yes. Auth0 will require all staff and client/consumer accounts to be assigned a unique Email Address.

For staff accounts, the Work Email (soon to be re-labeled Primary Email) must be populated with an email address that is unique to that user - unique from all other users across your database. 

If you use our consumer portal functionality, all client/consumer accounts must have the Email field populated with an email address that is unique across your database. 

  • I don't know if all my staff and/or consumer logins have a unique email address. Help! 

No problem! To determine which staff members are missing email addresses (either work or personal), you can run the saved "Foothold Report - Missing Emails" report format in the Employee ReportBuilder. If you are still unsure if your accounts need attention, please reach out to your Customer Experience Representative. They can tell you an overall count of accounts that need attention and they can also provide you with the exact list of accounts that are out of compliance. 

  • Is Email absolutely required for our user accounts?

Yes! Auth0 has a hard requirement that all user accounts must have a unique Email Address as that's one of the various methods it uses to confirm a user's identity. Email can be used for resetting passwords or for serving MFA challenges to the user if that's the method of MFA that has been set up for that user. Please note: Users do not need to use the associated Email for their MFA. Users can select alternate methods for MFA, such as an Authenticator App outlined in the Auth0 MFA section.

  • My organization does not give our users Email Addresses and my users do not want to use their personal Email. What do we do?

Please see our tips below for how to ensure all of your accounts have Email Addresses ahead of the release of Auth0.   Click here.

  • My organization can't afford to provide unique Email Addresses for all employees that they will be able to use for MFA and/or retrieving login credentials. Are there any affordable options out there?

Google Workspace for Nonprofits offers free access to employee email addresses and more, for nonprofits who qualify for eligibility. If you are eligible for this program, you will be able to create unique email addresses for each of your users that can then be added to AWARDS. NOTE: Foothold does not endorse any particular products or services, but rather provides information regarding options we have heard from other customers.

  • Can I use fake Email Addresses for active accounts? What are the negative impacts of taking this path?

You can enter a "fake" email in the "Primary Email" field, as long as the following conditions are met: it is a legitimate email format, it is unique across all users in your database, and the email address is not actually a legitimate email address for someone else in the world. Our guidance here would be to use your agency email address formats, even if you don't intend to activate that email address. NOTE - If you choose this option, users will NOT be able to utilize the AWARDS built-in password recovery feature, nor will they be able to use the Email option for MFA moving forward.

  • How will this affect my service accounts, such as automated systems that access the database after hours? Will these accounts need a unique Email Address too?

Yes. Every account that accesses AWARDS must be associated with a unique email address. If you are concerned about MFA and your automated systems or bots, please see the Adaptive MFA sectionbelow for more information on Adaptive MFA.

Multi-Factor Authentication (MFA)

  • What is MFA?

MFA stands for Multi-Factor Authentication and is also sometimes referred to as Two-Factor Authentication (2FA). MFA is an authentication method that requires the user to provide two or more verification factors to gain access to the application. You’ve probably used MFA several times in other applications, such as your bank website or your medical portal for your doctor’s office.

  • Which methods of MFA will be available in AWARDS?

At Auth0 launch, AWARDS will support the following methods of MFA: Email and Authenticator Apps. We are planning to implement MFA via Text/SMS after the initial release of Auth0 in a future release.

  • Do all of my accounts have to use MFA? They don't today.

After the launch of Auth0 into AWARDS, MFA will be mandatory across all accounts. MFA is a critical security layer that ensures your client’s data is safe and secure.

  • What is the process for getting each account set up with MFA?

After the launch of Auth0 into AWARDS, each user who attempts to access the application will be presented with a prompt to enable MFA for their account. As soon as the screen designs are ready, we will be creating a document and video(s) that walks through the various workflows for setting up MFA and logging in with these accounts. Stay tuned!

Adaptive MFA

  • What is Adaptive MFA?

Adaptive MFA ensures that your users are not constantly challenged with MFA prompts. Adaptive MFA evaluates user behavior, context, and risk factors to dynamically enforce MFA only when necessary, enhancing security while maintaining a seamless user experience. Adaptive MFA will be enabled by default in AWARDS as a part of the first Auth0 release.

  • How does Adaptive MFA affect the user experience?

Adaptive MFA aims to provide a smoother user experience. Users are prompted for MFA only when risk is detected, reducing unnecessary authentication challenges. This means your users can continue to access AWARDS with just their username and password so long risk is not detected.

  • What types of risk factors does Adaptive MFA consider?

Adaptive MFA considers factors like location, device characteristics, user behavior anomalies, IP reputation, and more to calculate the risk score and determine whether to prompt for MFA. There are additional heuristics to detect bot attacks and similar behaviors that may trigger the MFA prompt as well.

  • With Adaptive MFA, how frequently will my users be prompted to authenticate?

Your users will be prompted to authenticate (MFA) on their first log in into AWARDS to confirm their identity. Moving forward, your users will only be prompted to MFA if they are accessing AWARDS on a different computer or a different network.

  • Is there a timeframe for which users will be prompted to authenticate even if there are no additional risk factors?

No. Users are only prompted to MFA when risk factors are detected. This means there is no 30/45/90 day window in which users will be prompted again. If your users work on the same computer at your office every day, they will only be prompted to MFA on their first login and likely will not be prompted again.

  • My users are often in the field using tablets using mobile broadband (4G/5G). How will Adaptive MFA handle this situation?

Adaptive MFA on mobile devices functions in a similar method to local devices, such as laptops or desktop computers. On a tablet or mobile device, the user will be prompted to MFA into AWARDS on their first login and only subsequent logins with additional risk factors will trigger a new MFA challenge.

  • My users share devices frequently to access AWARDS. How will Adaptive MFA handle this situation?

Adaptive MFA is per-user, meaning the first login on the device for each user will go through the MFA process. Subsequent login attempts will not trigger MFA challenges unless additional risk factors are detected.

Single Sign On (SSO)

  • What is SSO?

SSO stands for Single Sign On and permits a user to use one set of login credentials -- for example, a username and password -- to access multiple applications.

  • Will Auth0 enable SSO in AWARDS?

SSO will not be available in AWARDS at the launch of Auth0, but we will be working to add various methods of SSO in a future release after launch.

  • Which methods of SSO will be supported in AWARDS?

We plan to support at least SAML/Active Directory SSO. We will continue to explore other methods of SSO, such as Okta or Google. Please let us know if other methods of SSO would benefit you and your users.

 

Was this article helpful?
0 out of 0 found this helpful