Multi-factor authentication
- Part of
MFA will be turned on by default for governor accounts from Friday 30 June 2023.
Multi-factor authentication (MFA) is a default security setting on staff (MIS) and non-MIS accounts (i.e. non-learner accounts) and is required when non-learner users log in to Hwb outside the trusted network of their school or organisation e.g. off-site. MFA helps to protect user accounts from phishing attacks.
In order to use MFA, non-learner users will need to download the Microsoft Authenticator app onto an internet enabled mobile device e.g. a smartphone, and link the app to their Hwb account. Once installed, the Microsoft Authenticator app will generate a verification code every 30 seconds which users will need to input, together with their username and password, every time they log in to Hwb outside the trusted network of their school or organisation e.g. off-site.
Setting up multi-factor authentication
There are three parts to setting up multi-factor authentication:
- Turn on MFA – MFA is already on by default for staff, non-MIS, school digital champion and Hwb dashboard administrator accounts. However, school digital champions can also turn on MFA for governors in their school before 30 June 2023.
- Download the Microsoft Authenticator app - all non-learner users will need to download the Microsoft Authenticator app onto an internet enabled mobile device e.g. a smartphone or tablet.
- Link the Microsoft Authenticator app – all non-learner users will need to link the Microsoft Authenticator app to their Hwb account when prompted on their first log in to Hwb outside the trusted network of their school or organisation e.g. off-site.
-
MFA is already on by default for staff, non-MIS, school digital champion and Hwb dashboard administrator accounts.
However, school digital champions can also turn on MFA for governors in their school before 30 June 2023.
School digital champions
- Navigate to https://hwb.gov.wales and log in to Hwb.
- Click on User management.
- On your ‘Administrator Dashboard’, click on View Users > View Governors.
- Use the Search term field as appropriate e.g. type the user’s surname and click on the Search button to locate the relevant user.
- Click on the user’s View Details button on the right.
- Click on Manage User > Enable MFA for All Apps.
- Read the on-screen message and click on the Enable button to proceed.
- Whilst still in the user’s record, scroll down and ensure there is a green tick next to ‘MFA Enabled for All Apps’.
- Advise the user to follow the instructions below to download the Microsoft Authenticator app and then link the app to their Hwb account.
- Navigate to https://hwb.gov.wales and log in to Hwb.
-
Download the Microsoft Authenticator app onto an internet enabled mobile device e.g. a smartphone or other internet enabled mobile device that you can access off-site.
-
Linking the app to your Hwb account should only take a few minutes, but you must have downloaded the Microsoft Authenticator app onto a smartphone or other internet enabled device before you begin.
The following steps must be completed in one session i.e. you cannot close or skip screens. You will need:
- to log in to Hwb from outside the trusted network of your school or organisation e.g. off-site for the initial setup
- the internet enabled mobile device onto which you downloaded the Microsoft Authenticator app e.g. a smartphone.
You will only need to follow the instructions below once i.e. when you log in to Hwb for the first time outside the trusted network of your school or organisation e.g. off-site:
- On a laptop or desktop computer with internet access, navigate to https://hwb.gov.wales and click on Log in. Note: For this step, and during the initial setup only, it is advised that this device is not the one onto which the Microsoft Authenticator app has been downloaded.
- ‘Log in’ - Enter your Hwb username and click on Next.
- ‘Enter password’ - Enter your Hwb password and click on Sign in.
- A screen will appear displaying ‘More information required’. Click on Next.
- On the ‘Microsoft Authenticator. Start by getting the app’ page, click on Next.
- On the ‘Set up your account’ page, click on Next.
Depending on the device being used you may get a ‘Scan the QR code’ page showing a QR code, OR a ‘Copy and paste this information into your app’ page showing a secret key.
- On the mobile device onto which you have downloaded the Microsoft Authenticator app e.g. a smartphone, open the Microsoft Authenticator app. Note: If your Hwb account already exists in the Microsoft Authenticator app, you must remove this first by clicking on the account, clicking on the settings cog in the top right-hand corner and selecting ‘Remove account'.
- Click on the + (plus symbol) in the top right-hand corner of the screen to add an account.
- Click on ‘Other'.
- If you have the ‘Scan the QR code’ page described in step 6, scan the QR code using the activated camera on your mobile device.
Note: Do not scan any other QR code.
If you are unable to scan the QR code, click ‘Can’t scan image?’ and follow the next step to manually enter the information. - If you have the ‘Copy and paste this information into your app’ page described in step 6 above, select “Enter code manually” on the mobile device and enter the account name and secret key into the Microsoft Authenticator app. If you are using a single device, you can easily copy and paste the details by pressing the copy button.
- On the laptop or desktop computer on which you are attempting to log in to Hwb, on the ‘Scan the QR code’ page (which is displaying the QR code) click on Next.
- On the device on which you are attempting to log in to Hwb, click on Next.
- On the ‘Enter code’ page, type in the current 6-digit Hwb verification code shown in your Microsoft Authenticator app and click on Next. Note: If more than 30 seconds has elapsed you may need to enter the latest Hwb verification code from the app and click on Retry.
- On the ‘Success!’ page, click on Done.
- Setup is complete and you can now log in to Hwb using multi-factor authentication (MFA).
- to log in to Hwb from outside the trusted network of your school or organisation e.g. off-site for the initial setup
-
Every time non-learner users log in to Hwb outside the trusted network of their school or organisation, as well as their Hwb username and password, they must prove who they are by providing a unique code generated by the Microsoft Authenticator app:
- Navigate to https://hwb.gov.wales and click on Log in.
- ‘Log in’ - Enter your Hwb username and click on Next.
- ‘Enter password’ - Enter your Hwb password and click on Sign in.
- ‘Enter code’
- Open the Microsoft Authenticator app and either copy or make a note of the current Hwb 6-digit verification code (the code changes every 30 seconds).
- Go back to the Hwb ‘Enter code’ screen and either paste or type in the current Hwb 6-digit verification code.
- Open the Microsoft Authenticator app and either copy or make a note of the current Hwb 6-digit verification code (the code changes every 30 seconds).
- Click on Verify to go to your home page on Hwb.
- Navigate to https://hwb.gov.wales and click on Log in.
-
If a non-learner account holder obtains a new internet enabled mobile device e.g. a new smartphone, multi-factor authentication will need to be reset. Please contact your school digital champion or Hwb administrator who will be able to follow the guidance below.
School digital champions and Hwb administrators
School digital champions and Hwb dashboard administrators can reset MFA for individual non-learner account holders in their school or organisation via the Hwb User Management Portal (UMP):
- Navigate to https://hwb.gov.wales and log in to Hwb.
- Click on User management.
- On your ‘Administrator Dashboard’, click on View Users > View Staff (or View Digital Champions, View Governors, View Non-MIS).
- Use the Search term field as appropriate e.g. type the user’s surname and click on the Search button to locate the relevant user.
- Click on the user’s View Details button on the right.
- Click on Manage User > Reset MFA.
- Read the on-screen message: “Are you sure that you want to reset MFA for [name]@hwbcymru.net?”. Click on the Continue button to proceed.
- Whilst still in the user’s record, scroll down and ensure there is a green tick next to ‘MFA Enabled for All Apps’.
- Advise the user to follow the instructions to download the Microsoft Authenticator app and link it to their Hwb accounts.
- Navigate to https://hwb.gov.wales and log in to Hwb.
If you have any queries or require assistance, please follow your local IT support arrangements in school or through your local authority in the first instance. Advice and guidance are also available from the Hwb Service Desk: support@hwbcymru.net / 03000 25 25 25.
If you are prompted to use MFA in school or within a trusted network, please contact the Hwb Service Desk (hwb@gov.wales / 03000 25 25 25) and provide them with your school or organisation external IP address. If you are unsure of your school or organisation external IP address, please contact your IT support provider who will be able to provide this information.
Further resources:
- What is MFA?
- MFA on Hwb.
- Learn more about phishing and complete the short phishing awareness training module.
- Phishing: Spot and report scam emails, texts, websites and calls.
- Cyber security in schools: questions for governing bodies and management committees.
- Protect organisations and your own personal online accounts from cyber criminals.
- Follow the NCSC’s Cyber Aware advice to protect your online accounts from scammers seeking to steal personal details and sensitive information.
- Set up 2-step verification and use three random words passwords to prevent cyber criminals gaining access to email accounts.