Skip to main content
HubHelp

MFA FAQ/Troubleshooting

  1. Last updated
  2. Save as PDF
An ongoing article for MFA troubleshooting tips.
Initial questions to ask 
  • Who is this all effecting? One student or multiple?
  • Are they using an app or email?
  • What steps have they taken so far?
  • Have they made any changes to their email/account?
Note

If they need additional assistance, reach out to Laura and Marci. 

MFA Verification Code

If a user has entered an MFA verification code in the past 4 hours, they won't have to enter one again. 

User not getting MFA Authentication email

There are a few reasons why a user might not be getting the email when they go to sign up for MFA and the email with a code is sent to them. 

  1. Their email in tenant is wrong. Make sure to double check the email is their correct/current email. 
  2. It has gone to their junk/spam folder.
  3. Their firewall is blocking the email. If the 2 options above are not the reason, the user will need to check with their IT department to see if their firewall is blocking the email. 
User doesn't have a mobile phone

An email verification option is available for those without access to a mobile device. 

What Authenticator App to use

NCC recommends Google Authenticator, Microsoft Authenticator, or Authy by Twillo. 

Device with Authenticator App is lost/damaged/not working

If the device utilizing the authenticator app is lost, damaged, or not working, users need the ability to access their account another way. NCC will present system-generated recovery codes so users can self-service when trying to authenticate into the system without their device present. 

Note: These codes are only presented at the time of the initial setup and should be printed out/written down and kept in a secure location. 

Device is lost and can't find recovery codes

If a user did not save the recovery codes presented during the registration process or lost the codes, the user should contact their Client Support Specialist to reset their MFA. Upon reset, the user will be prompted to reestablish their identity verification method when next signing in to Nelnet. 

Changing Authentication Method after setting it up

Users can change their preferred authentication method by contacting their Client Support Specialist to reset their MFA. This will allow users to configure MFA using email verification or an authenticator app. 

How to find MFA settings in Tenancy
  1. Search for school in Tenant Search
  2. Click on Security and Permissions
  3. Click on Sign-on Settings

MFA settings.png

How to find if and what the school opted out for within Salesforce
  1. Pull up school in Salesforce
  2. Go to Assets
  3. Look at main assets (Payment Plans and/or Refunds)
Configuring MFA on behalf of other users

MFA cannot be configured on behalf of another user, whether the user is an Client Support Specialist, school user, or student/payer. 

Why aren't we allowing SMS?

SMS isn't likely to get more secure. As multi-factor authentication becomes more common, more attackers will target it. Attackers usually target the weakest link in security and with MFA, SMS is the weakest link. SMS test messages are not private or secure because SMS does not support end-to-end encryption. End-to-end encryption ensures that only you and the intended recipient can read a message's contents. 

Opting out of MFA 

In order to opt out of our MFA, schools must have SSO and MFA on campus for each audience (students and APs). If APs do not have SSO but they have MFA at the school, they cannot opt out of our MFA.

Offering only email or app 

We cannot have schools only allow one or the other between the app or email for their method. We have to allow both options.

Browser Translation

If you have consumers that are struggling with the MFA setup because of a language barrier, they can use their browser settings to translate the information. Here are steps they can take to translate (please note that the steps may vary based on their browser version):

Google Chrome

  1. Open Google Chrome
  2. Go to the website you want to translate 
  3. Right click on the page
  4. Select "Translate to [language]" from the context menu
    1. If this option doesn't appear, click on the three vertical dots in the top right corner of the browser window
    2. Go to Settings > Advanced > Languages
    3. Add the language you want and make it the default language 

Mozilla Firefox

  1. Open Mozilla Firefox
  2. Go to the website you want to translate
  3. Right click on the page 
  4. Select "Translate to [language]" from the context menu
    1. If this option doesn't appear, click on the three horizontal lines in the top right corner
    2. Go to Options > General > Language and Appearance
    3. Choose the language you want from the drop down menu 

Microsoft Edge

  1. Open Microsoft Edge
  2. Go to the website you want to translate
  3. Click on the three horizontal dots in the top right corner
  4. Choose "Translate" from the menu
    1. If this option doesn't appear, go to Settings > View advanced settings
    2. Under "Languages", add the language you want and make it the preferred language 

Safari (for Mac users)

  1. Open Safari
  2. Go to the website you want to translate 
  3. Click on "View" in the menu bar
  4. Select "Translate to [language]"
    1. If this option doesn't appear, go to Safari > Preferences > Advanced
    2. Enable the "Show Develop menu in menu bar" option
    3. Go back to the website, and under "Develop" in the menu bar, select "Translate to [language]"
MFA still being prompted after MFA being turned off at the institution level

MFA can be turned off at the client level when they've returned the appropriate addendum. We have found that MFA could still be prompted if we don't turn it off in the proper order under the different tenants. When turning off MFA, please disable from the child tenant(s) up to the parent.  If this happens, we need to follow the steps below:

  1. Make sure the child tenant is still set to SSO Consumer MFA = Not Applicable 
  2.  On the parent tenant, change SSO Consumer MFA to Optional and save changes
  3.  On the parent tenant, change SSO Consumer MFA back to not applicable and save changes

 

Is there a time limit in regards to MFA? Example, if I log in to Admin Dashboard > MFA via email > sign out > sign back in to Admin Dashboard 

Previously we had a 1 hour window for the MFA prompt, it has been approved to extend this to an 8 hour window. This is a passive prompt, which means if you remain active in the site and don't get logged out by Enterprise, QuikPay, or any other application, passport will not time you out. If a user has been logged out, and tries to login again within the 8 hour window of when they last performed MFA, they won't be prompted for MFA. 

Sign-on settings – for MFA, is there a way to hide the authentication app options for verification?

There is not currently a way to limit the option to ONLY show email as an option. We intentionally designed this to provide our customers with the most secure authentication features possible. It was at the advice of our security team that we ensure everyone had the ability to use an app rather than just email.