Skip to main content
HubHelp

Multi-Factor Authentication (MFA) Troubleshooting & FAQs

  1. Last updated
  2. Save as PDF
Purpose
Review frequently asked questions and login troubleshooting guide for Multi-Factor Authentication (MFA) with FACTS SIS.
Related Articles Set Up Multi-Factor Authentication for FACTS SIS
Checklist: Prepare for Multi-Factor Authentication (MFA)
Get Families to Start Using Family Portal with MFA
Maintain a Clean Database FAQs
Watch a Video Multi-Factor Authentication Training Class Video

Overview

Administrators and school office staff may use this troubleshooting and FAQ guide to get answers to common questions and issues for the new login process, username and password requirements, impact to daily processes, and future planned enhancements.

For related questions about maintaining a clean database, refer to Maintain a Clean Database FAQs.

Why is FACTS requiring this change?

The security of your school and family data is at the forefront of each and every decision we make at FACTS. As more aspects of our lives become dependent upon our ability to access information through mobile and cloud-based services, it has become increasingly important to ensure the integrity of the users behind the devices attempting to access this information. In support of our commitment to providing the highest levels of security for our products, FACTS has made the decision to begin utilizing multi-factor authentication (MFA).

Why does FACTS SIS use a 10-hr MFA reauthentication window?

We've had several schools ask why FACTS SIS prompts for multi-factor authentication every 8 hours and why we don't offer a trusted device option or a longer grace period. It's a fair question, and the answer is rooted in what the current threat picture looks like for K-12. Based on this feedback we have extended the window to 10 hours.

The K-12 threat landscape has shifted, fast.

In the first half of 2025, education was the most-targeted industry in the world, averaging more than 4,300 attacks per organization each week, a 41% year-over-year jump. The CIS MS-ISAC 2025 K-12 Cybersecurity Report found that 82% of reporting K-12 organizations experienced cyber threat impacts, with roughly 9,300 confirmed incidents in the 18 months ending December 2024. Average recovery cost for a K-12 cyber incident now sits at about $2.28 million, before any ransom is considered.

Credentials are the front door.

Verizon's 2025 Data Breach Investigations Report found that compromised credentials drove 22% of all breaches, and 88% of attacks against business web applications. In K-12 specifically, 45% of schools reported business email compromise in the most recent reporting window, and human-targeted attacks (phishing and social engineering) were the leading attack vector by a wide margin.

The PowerSchool breach made this concrete.

A single compromised contractor credential, used against a support portal that lacked MFA, gave a teenage attacker access to data on 62 million students and 9.5 million teachers. One credential. No MFA. That's the entire story. Every K-12 SIS provider in the country is now operating in the shadow of that incident, and our customers should expect us to act accordingly.

What an 10-hour reauthentication window actually does.

An MFA prompt isn't a statement about whether we trust your staff. It's a control on blast radius. Sessions can be hijacked through adversary-in-the-middle phishing kits, replayed from info-stealer logs, or picked up off a workstation that someone forgot to lock. Every additional hour a session stays valid is another hour an attacker has to act before being forced to clear another factor.

Eight hours roughly mirrors a typical school workday. For most staff, that means a single prompt at the start of a shift, while the system avoids carrying an authenticated session overnight, across a weekend, or onto a shared device left logged in at a front desk.

Why aren't we offering a trusted device or a 7-day grace period?

Several of the attack patterns we're now seeing in K-12 specifically defeat trust-the-device models:

  • Adversary-in-the-middle phishing kits steal session tokens after MFA succeeds.

  • Info-stealer malware harvests browser cookies, including the ones that flag a device as "trusted."

  • Allowing each school to set its own threshold creates a long tail of softer-configured tenants, which is exactly what attackers look for.

A 7-day grace period in this environment is effectively a 7-day exposure window after a single successful phish. We don't believe that trade is right for the data your schools entrust us with, particularly student PII, financial information, and family records.

Where we expect the next real improvement to come from.

The industry is moving toward phishing-resistant factors like passkeys, which solve a lot of what makes today's MFA imperfect: better security and a smoother user experience at the same time. That's the direction we're focused on, rather than loosening the current policy.

We hear the friction, and we take it seriously.

An 8-hour prompt isn't free. It costs your staff a few seconds at the start of every shift, and at scale that adds up. We don't take that lightly. The reason we're holding the line is the same reason your insurance carriers, your state privacy regulators, and your auditors are pushing in the same direction: the cost of a K-12 breach in 2025 dwarfs the cost of an extra login prompt.

Troubleshooting & FAQs

Note

Select a tab to view.

Troubleshooting: Review solutions to common MFA and login issues.

FAQs - General: Review answers to questions about why MFA is important and when the changes will be happening.

FAQs - Impact: Review answers to questions about MFA impact to daily processes. 

FAQs - Usernames, passwords, and email addresses: Review answers to questions about changes to usernames, passwords, and email address requirements.

FAQs - Future enhancements: Review answers to questions about what the future of MFA looks like and any planned enhancements.

Troubleshooting

Review solutions to common MFA and login issues.

A student is unable to access Family Portal. Are students required to use MFA?

Students are not required to use MFA. However, students may be prompted to update usernames or passwords. We recommend proactively reviewing student credentials to help ensure a smooth experience. 

Student accounts must meet the following criteria: 

Use Manage Logins to update student usernames, passwords, and email addresses in bulk.

The MFA invite displays as Sent but there is no username listed.

The user must click the registration link in the email, then create a new account or log into their existing FACTS account. 

A parent or staff member is receiving errors while trying to authenticate.

Have the parent or staff member clear cache and cookies for all time. Parents and staff should be logging out of their accounts to prevent sessions from holding on, instead of simply closing out of their browser or window.

A parent or staff member selected the wrong authentication method during their setup.

If a parent or staff member needs to change their authentication preferences they must contact account support to verify their authentication questions and request MFA to be removed.  The removal will allow them to select their preferred authentication method the next time they log in.

  • School contact FACTS SIS: 1-866-800-6593
  • Parent contact FACTS Financial Management: 1-866-441-4637
A parent receives an error that states "error when saving data" when attempting to connect to FACTS Financial Management or add funds to a prepay account.

School contacts, please contact our Account Management team.

  • FACTS SIS support: 1-866-800-6593
  • FACTS Financial Management support: 1-866-412-4637

Parents, please contact FACTS Financial Management parent support.

  • Parent support: 1-866-441-4637
A parent or staff member receives an error that states "oops something went wrong."
  • If the user has not completed their account creation, resend the Create Account invite. The user must click the registration link in the email and complete setup. 
  • Verify the parent or staff member is using the correct username.
  • Verify the parent or staff member is not duplicated.

If the issue persists, school contacts, please contact our account management team.

  • FACTS SIS support: 1-866-800-6593
  • FACTS Financial Management support: 1-866-412-4637

Parents please contact FACTS Financial Management parent support.

  • Parent support: 1-866-441-4637
A parent or staff member receives an error that states "We encountered a temporary error and could not complete your request. Your account is not linked to a person record at this school."

Review Staff Login Management or Family Individual Login Management.

  • If there is a username listed and grayed out, the user is most likely using the wrong username or they need to clear cache and cookies for all time.
  • If the invite is showing as sent but there is no username, the user must click on the registration link in the email they received to create an account, OR sign into an existing FACTS Financial Management account to link it to their SIS person record.
Users get an error when trying to log in through a bookmark.

Clear cache and cookies, then log in directly at factsmgt.com. Resave any stored bookmarks.

Two parents have the same email address.

Each person should have a unique email address. Shared emails may cause password reset confusion or merged accounts. 

A parent is unable to start an application for my school.
Steps Example screenshots

The parent will need to Create an Account if they are new to your school. Then they will receive an email account invitation to Register.

 Account invite

If the system recognizes the parent has an existing user account with FACTS based on the email, they will be prompted to Sign in.
OR
They can Create a New Account, which will prompt the parent to setup their username and password, and record required demographic information such address, phone number, and authentication questions.

Once the parent clicks Save, they will be redirected to the create an application page within five seconds.

 account sign in
A user is not receiving the MFA verification email or the password reset email.

Verify that the user's email inbox is not inactive, or that the email is not in their spam or junk folder. 

Parents with children at more than one FACTS school experience lockouts or confustion when logging in.

MFA is designed for one login across all systems. Make sure the user has the same email adress on all accounts so that they link, and is not already logged into another school in the same browser.

A user entered the correct verification code, but receives an error saying it is invalid.

The following issues may cause this error:

  • The code is expired
  • The browser session has cached data
  • The browser autofill is interfering
  • The user is already logged in elsewhere

Clear cache & cookies for all time.

When a parent or staff member tries to log in, they receive an error saying the system does not recognize the username.

Select Forgot username/password to identify if you are using the correct username.

Users are receiving email change notifications before they have set up their MFA account.

When MFA is enabled for your school it may inadvertently trigger email notifications indicating that parent demographic information had changed. No actual demographic data was modified. 

A parent or staff member's username is listed as "migration." 

This is not an error. This means that the person's username was not unique across all of FACTS and needs to be updated.

  • Once the parent or staff member attempts to log in to the SIS with their existing username and password, they will be prompted to setup a new username and password that is unique.
Tip

Use Create a Report: Family to build a report of individuals with usernames that contain "migration" and will need to update their username.

Example Create A Report fields

MFA Migration Report

FAQs - General

Review questions about why MFA is important and when the changes will be happening.

What is MFA, and who does it apply to?

Multi-Factor Authentication (MFA) is required to improve data security and protect sensitive student and family information. It adds an extra layer of verification beyond a username and password. MFA is required for staff and parents. Students are not required to use MFA.

When will MFA be required?

MFA will be required on your school's scheduled rollout date. On that date, the MFA will become required for staff and parents.

On April 17, 2023, FACTS began requiring MFA within the FACTS Giving product for all administrative users.

On July 12, 2023, FACTS rolled out requirements for administrative users to use MFA to access the following FACTS products:

  • FACTS Payment Plans
  • FACTS Financial Aid Assessment
  • FACTS Payment Forms

On November 13, 2023 FACTS rolled out MFA for consumer users (families) that access the following FACTS products:

  • FACTS Payment Plans
  • FACTS Financial Aid Assessment

FACTS SIS began implementing MFA for a group of early adopter schools in January 2025.

  • In April 2025, MFA began gradually rolling out to all SIS schools.
  • In August 2025, the MFA rollout was paused to avoid disruption during the busy start of the academic year, and will resume in late September. 
Can our MFA rollou date be changed? Can my school opt out?

In some cases, your MFA rollout date can be changed. Please contact your Account Manager to discuss your situation.

MFA is madatory and cannot be opted out of. 

Who is impacted by this requirement?

At this time, all administrative users – staff and teachers - with access to the following products will be required to utilize MFA:

  • FACTS Giving
  • FACTS Payment Plans
  • FACTS Financial Aid Assessment
  • FACTS Payment Forms

On November 13th, 2023, FACTS rolled out MFA for consumer users (families) that access the following FACTS products:

  • FACTS Payment Plans
  • FACTS Financial Aid Assessment

FACTS SIS began implementing MFA for a group of early adopter schools in January 2025.

  • April 2025, MFA began gradually rolling out to all SIS schools.
What are some additional benefits of this update?
  • Login History: school users with security rights to view login management, will be able to view login history for users. Additionally, schools will be able to see which users have enrolled in MFA, providing greater visibility into account security across staff and families.
  • Single user account across products: We are taking steps to centralize our authentication system across FACTS products. Currently, separate user accounts are necessary for applications, the SIS Family Portal, and some financial products. With this update, users (staff or parents) will be able to use a single account across all FACTS products.
Will my school be notified before these changes go into effect?

Yes, we will notify your school at least 2 weeks before the changes take effect. You’ll receive a notification in the SIS upon login with the specific date, and your Account Manager will also reach out via email to ensure you have the information.

What does our school need to do to prepare for this change?

View our Prepare for Multi-Factor Authentication Checklist and ensure your database is clean.

We’re actively expanding these materials based on feedback from schools to ensure you have the tools needed to support your staff and families.

Will families automatically receive MFA notifications from FACTS?

Schools are responsible for notifying staff and families. There are resources and a video to share with parents.  Families may access these resources within the Family Resource Center, or you may also share the links with them.

Can users change their authentication method?

Yes! You may change your preferred authentication method by contacting FACTS account management to verify identity and request MFA removal.

  • School Staff Support: 1-866-800-6593
  • Parent Support: 1-866-441-4637
Can physical MFA devices (such as Yubikeys) be used instead of email?

No, physical authentication devices are not supported at this time.

FAQs - Impact

Review questions about MFA impact to daily processes. 

Will my students who access FACTS Family Portal be required to utilize MFA?

No, Students accessing the Family Portal will not be prompted or required to use MFA to access their FACTS account. However, they may be prompted to update usernames or passwords. 

How will MFA impact users that have Single Sign-On (SSO) with their organization?

On its own, a single sign-on (SSO) solution doesn’t satisfy the MFA requirement. If your SSO system uses MFA, you don’t need to also enable FACTS MFA for users who access FACTS products solely through SSO.

If my institution already required MFA, does this impact my current process?

If your institution has an SSO connection with FACTS and already manages the users, passwords and enforcing MFA from their identity provider, there will be no impact to users. If your institution has not enabled Single Sign-On (SSO) with FACTS, users will be required to enable MFA when logging into FACTS.

For questions on how to enable SSO, please reach out to your {{k12short}] account management team.

Will schools be able to unlock user accounts if they become locked?

If a user attempts to login and they fail to type the correct password, authentication code or verification code, 4 or more failed attempts in 30 minutes, then the account is locked. If they try again later, as long as there haven't been 4 failed attempts in the last 30 minutes, then the account is no longer locked.

Staff that have the appropriate security rights, will be able to unlock the user account.

How will this change impact the sync with Clever?

When a school is enabled with MFA (Multi-Factor Authentication), each user's SIS username must be unique. If a duplicate username is detected, it will be amended with a "migrated" prefix. The next time the user logs into FACTS SIS, they will be prompted to update or change their username. Once the username is updated, the next sync with Clever will send the new username.

If the school is using Clever’s stored password feature, the user must follow the steps in Clever to update their stored username and password accordingly.

How will this change impact the sync with OneRoster?

Following the update, users whose usernames remain unchanged will experience no impact to their login or existing process.

For users with non-unique usernames, FACTS will assign a temporary placeholder username, which is visible until the user logs in and updates it. Users will still login with their existing username and password.

Until the user logs into FACTS and updates their username and the next sync occurs, external applications may not reflect the user's most current username.

Can I configure MFA on behalf of my users?

No. MFA cannot be configured on behalf of another user.

How often will I be prompted to authenticate?

We've heard your concerns that the 4 hour window can lead to inefficiencies, with staff and teachers needing to re-authenticate multiple times during the day. In response, we’re extending the session duration to 8 hours to better support daily workflows.  If it has been more than 8 hours since the last authentication and the user signs out, they will be prompted to reauthenticate when signing in. 

We have users that do not have a personal mobil phone or device to facilitate MFA. Are there other options to comply?

If users do not have a personal mobile phone or device to utilize MFA, users will have the option to use email verification.

Can users that are both school staff and parents at the same school have a separate account, or should they be the same?

Staff who are also parents at the same school can use the same username and password for both their Staff and Parent accounts if they have been merged and therefore have the same email address on both accounts. However, if they prefer to keep their personal and work accounts separate, they must have a different Email #1 for each account. This ensures that each account remains distinct while still allowing the user to manage both roles effectively.

FAQs - Usernames, passwords, and email addresses

Review questions about changes to usernames, passwords, and email address requirements.

What are the username and password requirements?
  • Usernames must be unique across all of FACTS, but do not have a character limit or need special characters
  • Email #1 must be unique
  • Passwords are case sensitive
  • Passwords may not be reused for the same user, up to the last four passwords used
  • Passwords must:
    • contain at least 12 characters
    • contain at least one letter
    • contain at least one number
    • include at least one special character: ! @ . # $ % ^ * ( ) _ + -
    • not start or end with a space
    • not include any invalid special characters 
Will all SIS users need to create a new username?

For some users, no changes are necessary. However, if a user’s username is already in use in the FACTS system, they are prompted to choose a new one during login. Similarly, if their password doesn’t meet updated security requirements, they’ll be asked to update it at that time.

Do usernames need to be unique? What happens if a user's username is not unique when they log in?

Yes,  usernames must be unique across all FACTS users, not just within your school or district. If a username is not unique at login, the user will be prompted to create a new one.

Is using an email address as a username recommended?

Using an email address as the username may ensure uniqueness, but is not required.

Do students still need unique usernames?

Yes, students must have unique usernames even though MFA does not apply to them.

Can a parent use the same username from their application to complete Enrollment?

Yes, families will be able to utilize the same user account they created to apply to the school to complete their enrollment and access the Family Portal.

As part of onboarding I setup a username and password for my staff, will I be able to continue assigning them to the classroom and schedule if they don't have a username?

Yes, a user account is not required to assign a teacher to a classroom or add them to a security group. When you’re ready for the staff member to log in, you can initiate an email from FACTS to create their user account.

Schools can see which staff members have not yet created their accounts and can send them the invite email either individually or in bulk.

Can we still update student usernames and passwords?

Yes, staff will retain the ability to create and edit usernames and passwords for student accounts. This functionality will remain unchanged with the upcoming updates.

Will I still be able to see the username for staff and parents in the SIS?

Yes, if your security rights currently include the ability to view login information, you will have access to view usernames for staff and parents.

Can school admins still reset passwords for parents or staff members? Will I be able to initiate the reset password email on behalf of the staff or parent?

With MFA enabled, school admins can no longer reset passwords for parents and staff directly. These users must follow the MFA recovery process or contact Support.

Schools will have the ability to initiate password reset emails for staff and parents directly from the SIS.

Some families mentioned they don't receive the password reset emails in a timely fashoin, how do you know this change will solve for that?

As part of this update, the SIS will begin using the same delivery service for account creation and password reset emails that the financial system has been using for a few years, which has been proven to provide reliability and consistency in email delivery. While this update should improve email delivery times for password reset, it’s important to note that no email system can guarantee 100% delivery, as factors like spam filters or settings outside of our control can impact receipt.

What steps will parents take to set up their account?
First time users The user already has a FACTS account at another school
  1. Click Register within the email invitation.
  2. Type the email address associated with the account.
  3. Follow steps to create a username, password, and MFA authentication questions.
  1. Click Register within the email invitation.
  2. Type the existing FACTS email address used at another school.
  3. Select Sign In in the Existing account on file window.
    Do NOT select Create New Account.
Can two users share the same email address?

Sharing email addresses is not recommended and may cause errors. Before the MFA rollout, duplicate emails should be removed. After the MFA rollout, every user must have a unique email address.

What if an account doesn not have an email address, for example substitute teachers?

An email #1 address is required for MFA. Schools may need to create a school-domain email for these accounts.

How can I identify users that are using the same email address?

Use the Duplicate Emails Report. You may also Create a Report to make a list of every user and their email address, then sort by the email to identify any duplicates. 

Do users without email addresses need one?

Any user, staff, student, or parent who logs in must have an email address. Users that will not log in, such as some grandparents, do not need one.

FAQs - Future Enhancements

Review questions about what the future of MFA looks like and any planned enhancements.

What changes are being made based on recent user feedback?

We appreciate all the comments and feedback we’ve received directly or in FACTS^SPACE. We’ve heard some great requests we are going to actively begin implementing such as:

  • Extended Authentication Window: We've heard your concerns that a 4 or 8 hour window can lead to inefficiencies, with staff and teachers needing to re-authenticate multiple times during the day. In response, we’re extending the session duration to 10 hours to better support daily workflows.
  • Improved Mobile Login Experience: We're also making an enhancement for users logging in on mobile devices. The system will now prompt users to paste the verification code from their email, eliminating the need to manually switch between FACTS and their email.
When will Single Sign-on (SSO) be available for FACTS SIS?

Single Sign-On (SSO) has been a long-requested enhancement to FACTS SIS. While SSO via SAML is available for our Tuition and Financial Aid products, integrating this functionality into FACTS SIS has been a very complex project.

While we have prioritized the implementation of MFA for direct access users, we are continuing to work on updates to FACTS SIS to handle multiple audiences and provide SSO functionality. We are planning to launch a beta/early adopter group, which will help us test and refine the SSO experience before a broader rollout.

How can we enable SSO or request to join the early adopter group?

While we are still in the development phase and not ready to begin implementation just yet, you can reach out to your FACTS Account Manager or the Support Team to express interest in joining the early adopter group. This group will help shape the implementation process and contribute to refining the supporting documentation ahead of broader rollout.  

Have you looked at enabling biometrics (e.g. FaceID) for MFA login?

We are exploring the ability to enable passkey’s that would enable a user to login using biometric methods (face ID, touch ID, etc.) or a device PIN.

Will the account invitation and password reset emails be available in Spanish?

The emails are not currently available in Spanish. However, users can select Spanish as their preferred language when they access the login or account recovery screens. Expanding language support for emails is something we’re exploring.