MFA Setup

To enhance system security, Applied enabled multi-factor authentication (MFA) for Applied Cloud products using Okta for identity and access management. To use MFA, users must have an email address associated to their account and have set up a preferred method of authentication. MFA is enforced for all Applied Cloud users.

This article provides instructions for Applied Cloud Manager (ACM) administrators to perform the setup and login process for MFA.

For step-by-step MFA setup and login instructions for office administrators and users, access see the Applied Cloud MFA User Guide. If you are a U.K. or Ireland brokerage, read the Applied Cloud MFA User Guide specific to your region.

Adding an Email Address for MFA

Multi-factor authentication requires a unique email address for each user to directly communicate with that user. A business email address is preferred for MFA.  

All users must have an email address associated with their accounts. You can add an email to each user account, or users can do it themselves when they log in to their Applied Cloud account and are prompted to add a business email. An email address is required when creating a new user in Applied Cloud Management (ACM).

If a user will be using email authentication for their MFA, the email address on the account must match the email address for authentication. Users must have access to this email address outside of the RDP (Cloud) environment – either locally on their desktop or via their smart device.

To update a user’s business email, complete the following steps:

1. Click the Accounts button.
2. Right click the appropriate account and select Properties from the dropdown menu.
3. Enter a Business Email in the ACM – Account Properties window.
4. Click Save.

Setting Up Multi-Factor Authentication

As part of the MFA setup, everyone in your agency/brokerage must choose a method of authentication. This is the second factor the system uses to verify a user’s identity when they sign in to the account. Applied Systems recommends using the Okta Verify app as the preferred MFA method.

Note: If you are on private cloud, the AppAdmin account also requires MFA.

The following methods are available to use for multi-factor authentication:

• Okta Verify: Requires the user to install the Okta Verify app on their smart device.
• Google Authenticator: Requires users to install the Google Authenticator app on their smart device.
• SMS: Requires users to have an SMS enabled device that can receive text messages.

• Voice Call: Requires users to have a device that can receive phone calls.

• Email: Requires users to have access to a business email address outside their RDP (Cloud) environment – such as accessing email locally using a desktop or smart device.

Note: TAMCloud users can access their @insuremail.net email account outside of a TAMCloud RDP session. They can access via OWA, or configure mail on their mobile device or Outlook desktop to connect to the @insuremail mail server.

For more information on each method and step-by-step instructions, see the Applied Cloud MFA User Guide. If you are a U.K. or Ireland brokerage, read the Applied Cloud MFA User Guide specific to your region.

Logging in with MFA

After users have set up a method of MFA, they can log in to Applied Cloud with MFA.

For information on how to log in to Applied Cloud using each MFA method, see the Applied Cloud MFA User Guide. If you are a U.K. or Ireland brokerage, read the Applied Cloud MFA User Guide specific to your region.

Unlocking an Okta Account

If users use Okta Verify as their MFA method, they can unlock their account if it has been locked. An account may become locked after multiple failed attempts to verify. Users must have a security question set up to unlock their account. They are prompted to set a secondary email address and security question when they log into their Okta account. If they have not set up a security question or forget their answer, they must contact Applied Support to unlock their account.

For information on how to unlock an Okta Account, see the Applied Cloud MFA User Guide. If you are a U.K. or Ireland brokerage, read the Applied Cloud MFA User Guide specific to your region.

Changing Authentication Methods

Users can switch to a different authentication method or enable additional methods. For step-by-step instructions, see the Applied Cloud MFA User Guide. If you are a U.K. or Ireland brokerage, read the Applied Cloud MFA User Guide specific to your region.

Setting Up a New Device with MFA

If users need to set up MFA on a new device, such as a smartphone, they must complete the steps in the Applied Cloud MFA User Guide while they still have access to their old device. If you are a U.K. or Ireland brokerage, read the Applied Cloud MFA User Guide specific to your region.

If the user does not have access to their previous device, contact Applied Support.

Note: Okta Verify can only be enabled on one device at a time.

Adding New Employees to MFA

To set up new employees to use MFA, the following steps must be completed:

1. Create a user account following the steps documented in the Add User Account article.
2. The user selects a preferred method of authentication. Users must wait 60 minutes after their accounts are created before proceeding with setting up multi-factor authentication.
   
   For more information on each method and step-by-step instructions, see the Applied Cloud MFA User Guide. If you are a U.K. or Ireland brokerage, read the Applied Cloud MFA User Guide specific to your region.

Troubleshooting MFA for your Agency/Brokerage

If a user is locked out of an account or is having issues logging in to Applied Cloud with MFA, verify the following information.

• The user has an email address associated with the account. To verify, view the Email Address column in the Accounts list.
• The user has set up a method of MFA. If the user has not set up an authentication method, the user will be locked out of the account. To verify, send a communication to the user.
• If using email authentication as the MFA method, the email address associated with the user account in Applied Cloud Manager must match the email address entered for MFA. The user must have access to this email address outside of their RDP (Cloud) environment – either locally on a desktop or via a smart device. To verify, send a communication to the user.

Note: Updates to MFA settings may take up to 60 minutes to take effect. Users will not be able to log in using MFA during this time; however, active sessions are not affected.