Cymraeg

Multi-factor authentication (MFA), also known as 2-step verification (2SV) or two-factor authentication (2FA), is an additional security measure that can be added to non-learner Hwb accounts i.e. staff, governors, other non-MIS stakeholders (but not learner accounts).

Due to the sensitive data non-learner users may have access to via their Hwb account and the increasing incidence and sophistication of phishing attacks, it is recommended that schools and organisation administrators turn on multi-factor authentication for all non-learner account holders by default.  Once MFA is turned on it will only be required when non-learners log in to Hwb outside their school or trusted network i.e. off site.

Warning

At the end of the autumn term 2022, MFA will no longer be optional.  MFA will be turned on for all non-learner account holders and will be required when these users log in to Hwb outside their school or trusted network.

Once multi-factor authentication is turned on, non-learner users will have to download the Microsoft Authenticator app onto an internet enabled mobile device e.g. a smartphone and link it to their Hwb account. The Microsoft Authenticator app generates verification codes which users will need to input (together with their username and password) when they log in to Hwb outside their school or trusted network i.e. off-site.

Setting up multi-factor authentication

There are three parts to setting up multi-factor authentication:

  1. Turn on MFA in the Hwb User Management Portal (UMP) - school digital champions and Hwb administrators can turn on MFA for some or all of their non-learner users in their school or organisation. Individual users can also turn on MFA in the UMP, but for their own account only.
  1. Download the Microsoft Authenticator app - all affected users must download the Microsoft Authenticator app onto an internet enabled mobile device e.g. a smartphone.
  1. Link the Microsoft Authenticator app – once MFA has been turned on all affected users must link the Microsoft Authenticator app to their Hwb account when prompted on their next log in to Hwb outside their school or trusted network i.e. off-site.
  • School digital champions and Hwb administrators can turn on MFA for ALL non-learner accounts in their school or organisation:

    1. Navigate to https://hwb.gov.wales and log in to Hwb.

    2. Click on User management.

    3. On your ‘Administrator Dashboard’, click on Administration > Manage MFA for all apps.

    4. Read the on-screen message and click on the Enable button to proceed.

    5. On your ‘Administrator Dashboard’, click on View Users > View Staff and ensure there is a green tick in the ‘MFA All’ column next to all staff listed. Repeat this check in View Digital Champions, View Governors and View Non-MIS.

    6. Advise all non-learner users to follow the instructions below to download the Microsoft Authenticator app and link it to their Hwb accounts.

    School digital champions and Hwb administrators can turn on MFA for INDIVIDUAL non-learner accounts in their school or organisation:

    1. Navigate to https://hwb.gov.wales and log in to Hwb.

    2. Click on User management.

    3. On your ‘Administrator Dashboard’, click on View Users > View Staff (or View Digital Champions, View Governors, View Non-MIS).

    4. Use the Search term field as appropriate e.g. type the user’s surname and click on the Search button to locate the relevant user.

    5. Click on the user’s View Details button on the right.

    6. Click on Manage User > Enable MFA for All Apps.

    7. Read the on-screen message and click on the Enable button to proceed.

    8. Whilst still in the user’s record, scroll down and ensure there is a green tick next to ‘MFA Enabled for All Apps’.

    9. Advise the user to follow the instructions below to download the Microsoft Authenticator app and link it to their Hwb accounts.

    Non-learner users can turn on MFA for their own Hwb account at any time:

    1. Navigate to https://hwb.gov.wales and log in to Hwb.

    2. Click on User management.

    3. On your ‘Dashboard’, click on ‘My Profile’ and click on Manage MFA for All Apps.

    4. Read the on-screen message and click on the Enable button to proceed.

    5. Whilst still on your profile page, scroll down and ensure there is a green tick next to ‘MFA Enabled for All Apps’.

    6. Now follow the instructions below to download the Microsoft Authenticator app and link it to your Hwb account.
  • Download and learn how to use the Microsoft Authenticator app on an internet enabled mobile device e.g. a smartphone, that you can access off-site.

  • Linking the app to your Hwb account should only take a few minutes, but please ensure you have downloaded the Microsoft Authenticator app before you begin. You will need:

    • a computer, tablet or other internet enabled mobile device to log in to Hwb

    • the internet enabled mobile device onto which you downloaded the Microsoft Authenticator app e.g. a smartphone

    • to be located outside your school or trusted network i.e. off-site for the initial setup.

    You will only need to follow the instructions below once i.e. when you log in to Hwb for the first time outside your school or trusted network i.e. off-site:

    1. On a computer, tablet or other internet enabled device, navigate to https://hwb.gov.wales and click on Log in. Note: For this step and during initial setup it is advised that this device is different to the one on which the Microsoft Authenticator app has been downloaded.

    2. ‘Log in’ - Enter your Hwb username and click on Next.

    3. ‘Enter password’ - Enter your Hwb password and click on Sign in.

    4. A screen will appear displaying ‘More information required’.  Click on Next.

    5. On the ‘Additional security verification’ page, Step 1: How should we contact you? ensure ‘Use verification code’ is selected and click on Set up.

    6. A ‘Configure mobile app’ page with a QR code will be displayed on your screen.

    1. On the mobile device onto which you have downloaded the Microsoft Authenticator app e.g. a smartphone, open the Microsoft Authenticator app.

    2. Tap on the + (plus symbol) in the top right-hand corner of the screen to add an account.

    3. Tap on ‘Work or school account’ and select Scan QR code

    4. Using the camera which has been activated on your mobile device e.g. smartphone, scan the QR code on the ‘Configure mobile app’ page (as described in step 6 above).

    5. If successful, you will now see a ‘Hwb’ account with your Hwb username in your Microsoft Authenticator app and a 6-digit verification code (the code changes every 30 seconds!).

    1. On the computer, tablet or other internet enabled device on which you are attempting to log in to Hwb, on the ‘Configure mobile app’ page (with the QR code) click on Next.

    2. On the ‘Additional security verification’ page, Step 1: How should we contact you? ensure ‘Setup – Mobile app has been configured for verification codes’ is displayed and click on Next.

    3. For Step 2: Enter the verification code from the mobile app, type in the current 6-digit Hwb verification code shown in your Microsoft Authenticator app and click on Verify.  Note: If more than 30 seconds has elapsed you may need to enter another Hwb verification code from the app and click on Retry.

    4. On the ‘Additional security verification’ page, Step 2: Enter the verification code from the mobile app ensure ‘Verification successful. Taking you to the next step…’ is displayed and click on Finished.

    5. Setup is complete and you can now log in to Hwb with multi-factor authentication (MFA).
  • When non-learner users log in to Hwb outside their school or trusted network they must prove who they are by providing a code generated by their Microsoft Authenticator app as well as their Hwb username and password:

    1. Navigate to https://hwb.gov.wales and click on Log in.

    2. ‘Log in’ - Enter your Hwb username and click on Next.

    3. ‘Enter password’ - Enter your Hwb password and click on Sign in.

    4. ‘Enter code’

      • Open your Microsoft Authenticator app and either copy or make a note of the current Hwb 6-digit verification code.

      • Go back to the Hwb ‘Enter code’ screen and either paste or type in the latest Hwb 6-digit verification code.

    5. Click on Verify to go to your home page on Hwb.
  • If a non-learner account holder obtains a new internet enabled mobile device e.g. a new smartphone, multi-factor authentication will need to be reset.  Please contact your school digital champion or Hwb administrator.

    School digital champions and Hwb administrators

    School digital champions and Hwb administrators can reset MFA for individual non-learner accounts in their school or organisation:

    1. Navigate to https://hwb.gov.wales and log in to Hwb.

    2. Click on User management.

    3. On your ‘Administrator Dashboard’, click on View Users > View Staff (or View Digital Champions, View Governors, View Non-MIS).

    4. Use the Search term field as appropriate e.g. type the user’s surname and click on the Search button to locate the relevant user.

    5. Click on the user’s View Details button on the right.

    6. Click on Manage User > Reset MFA.

    7. Read the on-screen message: “Are you sure that you want to reset MFA for [name]@hwbcymru.net?”. Click on the Continue button to proceed.

    8. Whilst still in the user’s record, scroll down and ensure there is a green tick next to ‘MFA Enabled for All Apps’.

    9. Advise the user to follow the instructions to download the Microsoft Authenticator app and link it to their Hwb accounts.

If you have any questions or would like help setting up MFA, please contact the Hwb Service Desk (hwb@gov.wales / 03000 25 25 25).

If you are prompted to use MFA in school or within a trusted network, please contact the Hwb Service Desk (hwb@gov.wales / 03000 25 25 25) and provide them with your school or organisation external IP address. If you are unsure of your school or organisation external IP address, please contact your IT support provider who will be able to provide this information.

Further resources: