Multi-Factor Authentication FAQs

Multi-factor authentication (MFA) is a login method that requires users to provide multiple verification factors to gain access to a system. Effective this spring, MFA will be required for accessing any NFA system, meaning that users must provide an additional "factor" beyond username and password to log in.

For NFA, the additional factor will be a time-based one-time passcode (TOTP) delivered to the user via email, text message or an authenticator app. Upon enrolling in MFA, each NFA system user will select their preferred TOTP delivery method, which they will use to access NFA systems in the future.

Enrollment only needs to be completed once per user account.

NFA is committed to protecting its Members' data and systems from exposure to any security vulnerabilities.

MFA is one of the most effective security controls currently available to protect an organization against remote security attacks. Even if a user's username or password is compromised, requiring MFA can prevent a security breach by requiring the user to provide additional information.

Passwords are increasingly easily compromised. They can be stolen, guessed or hacked, and a user might not even realize someone else is accessing their account. MFA adds a second layer of security, helping keep accounts secure even if a password is compromised.
NFA has completed its rollout of MFA to all NFA members as of June 4. Users will be prompted to enroll in MFA the first time they log into an NFA system.

A time-based one-time passcode or TOTP, is a string of digits, that is valid for a set interval of time. Depending on the delivery method a user selects, the set interval and steps for TOTP input vary.


Upon entering a username and password, users can request a code to a valid email address. Users will receive an email from Microsoft sent on behalf of NFA containing a passcode that can be used to gain access into NFA's system.

NFA recommends users not use a shared mailbox for MFA.


Upon entering a username and password, users can request a code via text/SMS to a valid phone number that can receive text/SMS messages. The passcode can be used to gain access into NFA's systems.

Users can also receive a passcode verbally via a phone call to a valid phone number.

Once a user has linked their account to an authenticator app, upon entering a username and password, the NFA system requests a TOTP. The user opens their authenticator app on their smartphone or computer, which displays a code. The code is valid for 30 seconds, after which a new code will automatically be generated. The user inputs the string into the NFA system and then gains system access.

TOTP authenticator applications include:

Click here to learn how to set up an authenticator app.

Yes. A May 2021 Executive Order from President Biden states, among other things, that federal agencies must implement MFA. While NFA is not a government agency, certain NFA systems contain government data.

Need Help?

NFA's Information Center representatives are available to answer questions regarding MFA, please contact NFA's Information Center (312-781-1410 or 800-621-3570 or (