Cymraeg
Hwb

Multi-factor authentication

Warning

School staff, governors and other education stakeholders must use multi-factor authentication (MFA) if they want to log in to Hwb outside the trusted network of their school or organisation e.g. off-site.  However, MFA must be set up beforehand and whilst the non-learner user is logged in to Hwb on the trusted network of their school or organisation.

Learners are not required to use MFA

Multi-factor authentication (MFA) is a default security setting on all non-learner accounts in Hwb.  This means, if a non-learner account holder logs in to Hwb outside the trusted network of their school or organisation e.g. off-site, they must enter their username, password and a code generated by the Microsoft Authenticator app.

MFA helps to protect user accounts from phishing attacks.

Non-learner account holders must download the Microsoft Authenticator app onto an internet enabled mobile device e.g. a smartphone, and link the app to their Hwb account. Once installed, the Microsoft Authenticator app will need to be used to confirm the login either by inputting the 6 digit number generated by the authenticator app (method 1) or by matching the number displayed on the log in screen (method 2).

Information

Users setting up MFA after 27 November 2023 will automatically use method 2 i.e. number matching, while users that have set up MFA before this date will continue to use method 1 i.e. 6 digit code.  However, users wishing to switch to the quicker and easier number matching method can set this up themselves following the 'Change MFA method to number matching (method 2)' instructions below.

Setting up multi-factor authentication

There are two steps to setting up multi-factor authentication:

  1. Download the Microsoft Authenticator app onto an internet enabled mobile device e.g. a smartphone or tablet.

  2. Link the Microsoft Authenticator app to your Hwb account.

  • Follow these instructions to download the Microsoft Authenticator app onto an internet enabled mobile device e.g. a smartphone or tablet that you can use off-site. 

  • Before you can link the app to your Hwb account you must have downloaded the Microsoft Authenticator app onto a smartphone or other internet enabled device as outlined in step 1 above.

    The following steps must be completed in one session i.e. you cannot close or skip screens.

    To setup MFA you will need:

    • to log in to Hwb whilst you are on your school or other trusted network

    • to have in your possession the internet enabled mobile device onto which you have downloaded the Microsoft Authenticator app,  e.g. a smartphone or tablet.

    Note: while setting up MFA it is advised to log in to Hwb on a different device to the one onto which the Microsoft Authenticator app has been downloaded e.g. log in to Hwb on a laptop or desktop computer and have the Microsoft Authenticator app on a smartphone in your possession.

    1. On a laptop or desktop computer that is connected to your school or other trusted network, navigate to https://mysignins.microsoft.com/security-info and sign-in with your Hwb username and password.
    1. On your ‘Security info’ page, click on ‘+ Add sign-in method’.
    1. From the ‘Choose a method’ drop-down list, select ‘Authenticator app’.
    1. Click on ‘Add’ and follow the on-screen instructions until you get the message ‘Microsoft authenticator app has been successfully registered’.

  • Every time non-learner users log in to Hwb outside the trusted network of their school or organisation, as well as their Hwb username and password, they must prove who they are by providing a unique code generated by the Microsoft Authenticator app in their possession:

    1. Navigate to https://hwb.gov.wales and click on ‘Log in’.

    2. On the ‘Log in’ screen, enter your Hwb username and click on ‘Next’.

    3. On the ‘Enter password’ screen, enter your Hwb password and click on ‘Sign in’.

    4. Method 1: enter 6-digit code
      1. Open the Microsoft Authenticator app and either copy or make a note of the current Hwb 6 digit verification code (the code changes every 30 seconds).

      2. Go back to the Hwb ‘Enter code’ screen and either paste or type in the current Hwb 6 digit verification code displayed in the app.

      3. Click on ‘Verify’ to go to your home page on Hwb.
    1. Method 2: number matching
      1. If push notifications have been enabled on your Microsoft Authenticator app you will be automatically prompted to enter the 2 digit number displayed on the Hwb log in page.

      2. Enter the 2 digit number you see on the Hwb log in page into the authenticator app.

      3. The Hwb log in page will automatically complete the login process.

  • If you are currently using multi-factor authentication with a 6 digit code (method 1), you may find it easier to change to number matching (method 2) with push notifications instead. Number matching automatically prompts you to match the numbers you see on the screen with the authenticator app on your mobile device.  Once setup, this is often much quicker and easier to confirm your Hwb log in.

    To move from using the 6 digit code authentication (method 1) to using number matching authentication (method 2), follow these instructions:

    1. On a laptop or desktop computer navigate to https://mysignins.microsoft.com/security-info and sign-in with your Hwb username and password.
    1. On your ‘Security info’ page, click on ‘+ Add sign-in method’.
    1. From the ‘Choose a method’ drop-down list, select ‘Authenticator app’.
    1. Click on ‘Add’ and follow the on-screen instructions until you get the message ‘Microsoft authenticator app has been successfully registered’.

    The next time you log in to Hwb outside the trusted network of your school or organisation you will be prompted to use number matching as your second factor.

  • If a non-learner account holder loses or obtains a new internet enabled mobile device e.g. a smartphone, multi-factor authentication will need to be reset.  Please contact a Hwb administrator in your school or organisation who will be able to follow the guidance below.

    Hwb administrator guidance

    Hwb administrators in a school or organisation can reset MFA for individual non-learner account holders via the Hwb User Management Portal (UMP):

    1. Navigate to https://hwb.gov.wales and log in to Hwb.

    2. Click on ‘User management’.

    3. On your ‘Administrator Dashboard’, click on View Users > View Staff (or View Digital Champions or View Governors or View Non-MIS).

    4. Use the ‘Search term’ field as appropriate e.g. type the user’s surname and click on the ‘Search’ button to locate the relevant user.

    5. Click on the user’s ‘View Details’ button on the right.

    6. Click on Manage User > Reset MFA.

    7. Read the on-screen message: “Are you sure that you want to reset MFA for [name]@hwbcymru.net?”. Click on the ‘Continue’ button to proceed.

    8. Advise the user to follow the instructions to download the Microsoft Authenticator app and link it to their Hwb account.

    If you have any queries or require assistance, please follow your local IT support arrangements in school or through your local authority in the first instance. Advice and guidance are also available from the Hwb Service Desk: email support@hwbcymru.net or phone 03000 25 25 25.

Warning

You should not be prompted to use MFA when you log in to Hwb whilst connected to the trusted network of your school or organisation.  If you are prompted to use MFA whilst connected to your school network or other trusted network, please contact the Hwb Service Desk: email support@hwbcymru.net or phone 03000 25 25 25 and provide them with your school or organisation external IP address. If you are unsure of your school or organisation external IP address, please contact your IT support provider who will be able to provide this information. 

Further resources

  • Last updated 16 January 2024