Multi-Factor Authentication (MFA) Troubleshooting & FAQs

Last updated
Save as PDF

Purpose	Review frequently asked questions and login troubleshooting guide for Multi-Factor Authentication (MFA) with FACTS SIS.
Related Articles	Set Up Multi-Factor Authentication for FACTS SIS Checklist: Prepare for Multi-Factor Authentication (MFA) Get Families to Start Using Family Portal with MFA Maintain a Clean Database FAQs
Watch a Video	Multi-Factor Authentication Training Class Video

Overview

Administrators and school office staff may use this troubleshooting and FAQ guide to get answers to common questions and issues for the new login process, username and password requirements, impact to daily processes, and future planned enhancements.

For related questions about maintaining a clean database, refer to Maintain a Clean Database FAQs.

Troubleshooting

Review solutions to common MFA and login issues.

A student is unable to access Family Portal. Are students required to use MFA?

Students are not required to use MFA. However, student accounts must still meet the following criteria:

a valid email address
a username that is unique across all FACTS products
a password that meets the new requirements

Use the Account Update Import Tool to update student usernames and email addresses in bulk.

The MFA Invite displays as Sent but there is no username listed.

The user must click the registration link in the email, then create a new account or log into their existing FACTS account.

A parent or staff member is receiving errors while trying to authenticate.

Have the parent or staff member clear cache and cookies for all time. Parents and staff should be logging out of their accounts to prevent sessions from holding on, instead of simply closing out of their browser or window.

A parent or staff member selected the wrong authentication method during their setup.

If a parent or staff member needs to change their authentication preferences they must contact account support to verify their authentication questions and request MFA to be removed. The removal will allow them to select their preferred authentication method the next time they log in.

School contact FACTS SIS: 1-866-800-6593
Parent contact FACTS Financial Management: 1-866-441-4637

A parent receives an error that states "error when saving data" when attempting to connect to FACTS Financial Management or add funds to a prepay account.

Contact our Account Management team.

School contact FACTS SIS: 1-866-800-6593
School contact FACTS Financial Management: 1-866-412-4637

A parent or staff member receives an error that states "We encountered a temporary error and could not complete your request. our account is not linked to a person record at this school."

Review Staff Login Management or Family Individual Login Management.

If there is a username listed and grayed out, the user is most likely using the wrong username or they need to clear cache and cookies for all time.
If the invite is showing as sent but there is no username, the user must click on the registration link in the email they received to create an account, OR sign into an existing FACTS Financial Management account to link it to their SIS person record.

Two parents share the same email address.

Each person should ideally have a unique email address. Shared emails may cause password reset confusion.

A parent is unable to start an application for my school.

Steps	Example screenshots
The parent will need to Create an Account if they are new to your school. Then they will receive an email account invitation to Register.
If the system recognizes the parent has an existing user account with FACTS based on the email, they will be prompted to Sign in. OR They can Create a New Account, which will prompt the parent to setup their username and password, and record required demographic information such address, phone number, and authentication questions. Once the parent clicks Save, they will be redirected to the create an application page within five seconds.

Steps

Example screenshots

The parent will need to Create an Account if they are new to your school. Then they will receive an email account invitation to Register.

If the system recognizes the parent has an existing user account with FACTS based on the email, they will be prompted to Sign in.
OR
They can Create a New Account, which will prompt the parent to setup their username and password, and record required demographic information such address, phone number, and authentication questions.

Once the parent clicks Save, they will be redirected to the create an application page within five seconds.

A user is not receiving the MFA verification email.

Verify that the user's email inbox is not inactive, or that the email is not in their spam or junk folder.

A user entered the correct verification code, but receives an error saying it is invalid.

The following issues may cause this error:

The code is expired
The browser session has cached data
The browser autofill is interfering
The user is already logged in elsewhere

Clear cache & cookies for all time.

A parent or staff member's username is listed as "migration."

This is not an error. This means that the person's username was not unique across all of FACTS and needs to be updated.

Once the parent or staff member attempts to log in to the SIS with their existing username and password, they will be prompted to setup a new username and password that is unique.

Tip

Use Create a Report: Family to build a report of individuals with usernames that contain "migration" and will need to update their username.

Example create a report fields

FAQs

Below are frequently asked questions and answers about the MFA setup process, changes to the login process, and impact to daily processes.

General

Review questions about why MFA is important and when the changes will be happening.

What is MFA, and who does it apply to?

Multi-Factor Authentication (MFA) is required for staff and parents. Students are not required to use MFA.

Why is FACTS requiring this change?

The security of your school and family data is at the forefront of each and every decision we make at FACTS. As more aspects of our lives become dependent upon our ability to access information through mobile and cloud-based services, it has become increasingly important to ensure the integrity of the users behind the devices attempting to access this information.

In support of our commitment to providing the highest levels of security for our products, FACTS has made the decision to begin utilizing multi-factor authentication (MFA).

When will MFA be required?

MFA will be required on your school's scheduled rollout date. On that date, the MFA will become required for staff and parents.

On April 17, 2023, FACTS began requiring MFA within the FACTS Giving product for all administrative users.

On July 12, 2023, FACTS rolled out requirements for administrative users to use MFA to access the following FACTS products:

FACTS Payment Plans
FACTS Financial Aid Assessment
FACTS Payment Forms

On November 13, 2023 FACTS rolled out MFA for consumer users (families) that access the following FACTS products:

FACTS Payment Plans
FACTS Financial Aid Assessment

FACTS SIS will begin implementing MFA for a group of early adopter schools in January 2025.

Beginning April 2025, MFA will be gradually rolled out to all SIS schools.
In August 2025, the MFA rollout was paused to avoid disruption during the busy start of the academic year, and will resume in late September.

Can our MFA rollout date be changed?

In some cases, yes. Please contact your Account Manager to discuss your situation.

Who is impacted by this requirement?

At this time, all administrative users – staff and teachers - with access to the following products will be required to utilize MFA:

FACTS Giving
FACTS Payment Plans
FACTS Financial Aid Assessment
FACTS Payment Forms

On November 13^th, 2023, FACTS rolled out MFA for consumer users (families) that access the following FACTS products:

FACTS Payment Plans
FACTS Financial Aid Assessment

FACTS SIS will begin implementing MFA for a group of early adopter schools in January 2025.

Beginning April 2025, MFA will be gradually rolled out to all SIS schools.

What are some additional benefits of this update?

Login History: school users with security rights to view login management, will be able to view login history for users. Additionally, schools will be able to see which users have enrolled in MFA, providing greater visibility into account security across staff and families.
Single user account across products: We are taking steps to centralize our authentication system across FACTS products. Currently, separate user accounts are necessary for applications, the SIS Family Portal, and some financial products. With this update, users (staff or parents) will be able to use a single account across all FACTS products.

Will my school be notified before these changes go into effect?

Yes, we will notify your school at least 2 weeks before the changes take effect. You’ll receive a notification in the SIS upon login with the specific date, and your Account Manager will also reach out via email to ensure you have the information.

Most schools will be implemented over the summer, between June and August.

What does our school need to do to prepare for this change?

View our Prepare for Multi-Factor Authentication Checklist and ensure your database is clean.

We’re actively expanding these materials based on feedback from schools to ensure you have the tools needed to support your staff and families.

Will families automatically receive MFA notifications from FACTS?

Schools are responsible for notifying staff and families. There are resources and a video to share with parents. Families may access these resources within the Family Resource Center, or you may also share the links with them.

Can physical MFA devices (such as Yubikeys) be used instead of email?

No, physical authentication devices are not supported at this time.

How can I identify users that are using the same email address?

Use Create a Report to make a list of every user and their email address, then sort by the email to identify any duplicates.

Impact

Review questions about MFA impact to daily processes.

Will my students who access FACTS SIS Family Portal be required to utilize MFA?

No, Students accessing the Family Portal will not be prompted or required to use MFA to access their FACTS account.

How will MFA impact users that have Single Sign-On (SSO) with their organization?

On its own, a single sign-on (SSO) solution doesn’t satisfy the MFA requirement. If your SSO system uses MFA, you don’t need to also enable FACTS MFA for users who access FACTS products solely through SSO.

If my Institution already requires MFA, does this impact my current process?

If your institution has an SSO connection with FACTS and already manages the users, passwords and enforcing MFA from their identity provider, there will be no impact to users. If your institution has not enabled Single Sign-On (SSO) with FACTS, users will be required to enable MFA when logging into FACTS.

For questions on how to enable SSO, please reach out to your FACTS account management team.

Will schools be able to unlock user accounts if they become locked?

If a user attempts to login and they fail to type the correct password, authentication code or verification code, 4 or more failed attempts in 30 minutes, then the account is locked. If they try again later, as long as there haven't been 4 failed attempts in the last 30 minutes, then the account is no longer locked.

Staff that have the appropriate security rights, will be able to unlock the user account.

How will this change impact the sync with Clever?

When a school is enabled with MFA (Multi-Factor Authentication), each user's SIS username must be unique. If a duplicate username is detected, it will be amended with a "migrated" prefix. The next time the user logs into FACTS SIS, they will be prompted to update or change their username. Once the username is updated, the next sync with Clever will send the new username.

If the school is using Clever’s stored password feature, the user must follow the steps in Clever to update their stored username and password accordingly.

How will this change impact the sync with OneRoster?

Following the update, users whose usernames remain unchanged will experience no impact to their login or existing process.

For users with non-unique usernames, FACTS will assign a temporary placeholder username, which is visible until the user logs in and updates it. Users will still login with their existing username and password.

Until the user logs into FACTS and updates their username and the next sync occurs, external applications may not reflect the user's most current username.

Can I configure MFA on behalf of my users?

No. MFA cannot be configured on behalf of another user.

How often will I be prompted to authenticate?

We've heard your concerns that the 4 hour window can lead to inefficiencies, with staff and teachers needing to re-authenticate multiple times during the day. In response, we’re extending the session duration to 8 hours to better support daily workflows. If it has been more than 8 hours since the last authentication and the user signs out, they will be prompted to reauthenticate when signing in.

We have users that do not have a personal mobile phone or device to facilitate MFA. Are there other options to comply?

If users do not have a personal mobile phone or device to utilize MFA, users will have the option to use email verification.

Can users that are both school staff and parents at the same school have a separate account, or should they be the same?

Staff who are also parents at the same school can use the same username and password for both their Staff and Parent accounts if they have been merged and therefore have the same email address on both accounts. However, if they prefer to keep their personal and work accounts separate, they must have a different Email #1 for each account. This ensures that each account remains distinct while still allowing the user to manage both roles effectively.

Can users change their authentication method?

Yes! You may change your preferred authentication method by contacting FACTS account management to verify identity and request MFA removal.

School Staff Support: 1-866-800-6593
Parent Support: 1-866-441-4637

Usernames, passwords, and email addresses

Review questions about changes to usernames, passwords, and email address requirements.

What are the username and password requirements?

Usernames must be unique across all of FACTS
Email #1 must be unique
Passwords are case sensitive
Passwords may not be reused for the same user, up to the last four passwords used
Passwords must:
- contain at least 12 characters
- contain at least one letter
- contain at least one number
- include at least one special character: ! @ . # $ % ^ * ( ) _ + -
- not start or end with a space
- not include any invalid special characters

Will all SIS users need to create a new username?

For some users, no changes are necessary. However, if a user’s username is already in use in the FACTS system, they are prompted to choose a new one during login. Similarly, if their password doesn’t meet updated security requirements, they’ll be asked to update it at that time.

Do usernames need to be unique, and should they be email addresses?

Yes, usernames must be unique across all FACTS users, not just within your school or district. Using an email address as the username is strongly recommended to ensure uniqueness. If a username is not unique at login, the user will be prompted to create a new one.

Is using an email address as a username recommended??

Yes, using an email address as the username is the easiest way to ensure uniqueness.

What happens if a user’s username is not unique when they log in?

The user will be prompted to create a new, unique username during login.

Can two users share the same email address?

Sharing email addresses is not recommended and may cause errors. Before the MFA rollout, duplicate emails may be removed. After the MFA rollout, every user must have a unique email address.

What about users who will never log in, for example, grandparents?

If they will not be logging in, an email address is not required.

What if an account does not have an email address, for example, substitute teachers?

An email #1 address is required for MFA. Schools may need to create a school-domain email for these accounts.

Do users without email addresses need one?

Any user, staff, or parent who logs in must have an email address. Non‑logging users, such as some grandparents, do not need one.

Do students still need unique usernames?

Yes, students must have unique usernames even though MFA does not apply to them.

Can a parent use the same username from their application to complete enrollment?

Yes, families will be able to utilize the same user account they created to apply to the school to complete their enrollment and access the family portal.

As part of onboarding, I setup a username and password for my staff, will I be able to continue assigning them to the classroom and schedule if they don’t have a username?

Yes, a user account is not required to assign a teacher to a classroom or add them to a security group. When you’re ready for the staff member to log in, you can initiate an email from FACTS to create their user account.

Schools can see which staff members have not yet created their accounts and can send them the invite email either individually or in bulk.

Can we still update student usernames and passwords?

Yes, staff will retain the ability to create and edit usernames and passwords for student accounts. This functionality will remain unchanged with the upcoming updates.

Will I still be able to see the username for staff and parents in the SIS?

Yes, if your security rights currently include the ability to view login information, you will have access to view usernames for staff and parents.

Will I be able to initiate the reset password email on behalf of the staff or parent?

Yes, schools will continue to have the ability to initiate password reset emails for staff and parents directly from the SIS.

Some families mentioned they don’t receive the password reset emails in a timely fashion, how do you know this change will solve for that?

As part of this update, the SIS will begin using the same delivery service for account creation and password reset emails that the financial system has been using for a few years, which has been proven to provide reliability and consistency in email delivery. While this update should improve email delivery times for password reset, it’s important to note that no email system can guarantee 100% delivery, as factors like spam filters or settings outside of our control can impact receipt.

What steps will parents take to set up their account?

First time users	The user already has a FACTS account at another school
Click Register within the email invitation. Type the email address associated with the account. Follow steps to create a username, password, and MFA authentication questions.	Click Register within the email invitation. Type the existing FACTS email address used at another school. Select Sign In in the Existing account on file window. Do NOT select Create New Account.

If a staff member is also a parent, do you recommend having them use the same username and password?

They have the option to use a single login for both roles, which can be convenient for users who prefer not to manage multiple accounts. However, they may also choose to maintain separate logins for their parent and staff access, depending on their preference.

Future enhancements

Review questions about what the future of MFA looks like and any planned enhancements.

What changes are being made based on recent user feedback?

We appreciate all the comments and feedback we’ve received directly or in FACTS^SPACE. We’ve heard some great requests we are going to actively begin implementing such as:

Extended Authentication Window: Currently, the authentication session lasts 4 hours. We've heard your concerns that this can lead to inefficiencies, with staff and teachers needing to re-authenticate multiple times during the day. In response, we’re extending the session duration to 8 hours to better support daily workflows.
Improved Mobile Login Experience: We're also making an enhancement for users logging in on mobile devices. The system will now prompt users to paste the verification code from their email, eliminating the need to manually switch between FACTS and their email.

When will Single Sign-on (SSO) be available for FACTS SIS?

Single Sign-On (SSO) has been a long-requested enhancement to FACTS SIS. While SSO via SAML is available for our Tuition and Financial Aid products, integrating this functionality into FACTS SIS has been a very complex project.

While we have prioritized the implementation of MFA for direct access users, we are continuing to work on updates to FACTS SIS to handle multiple audiences and provide SSO functionality. We are planning to launch a beta/early adopter group, which will help us test and refine the SSO experience before a broader rollout.

How can we enable SSO or request to join the early adopter group?

While we are still in the development phase and not ready to begin implementation just yet, you can reach out to your FACTS Account Manager or the Support Team to express interest in joining the early adopter group. This group will help shape the implementation process and contribute to refining the supporting documentation ahead of broader rollout.

Have you looked at enabling biometrics (e.g. FaceID) for MFA login?

We are exploring the ability to enable passkey’s that would enable a user to login using biometric methods (face ID, touch ID, etc.) or a device PIN.

Have you found a way to enable a trusted device/browser for FACTS SIS MFA login?

We are exploring the ability to enable a trusted device option.

Will the account invitation and password reset emails be available in Spanish?

The emails are not currently available in Spanish. However, users can select Spanish as their preferred language when they access the login or account recovery screens. Expanding language support for emails is something we’re exploring.