Multi-Factor Authentication (MFA) is an authentication method that requires the user to provide two or more verification factors to gain access to an agency resource. Requiring two or more verification factors decreases the likelihood of account compromises and successful cyberattacks. MFA is a key security control and an important requirement for modern compliance standards.
The MFA solution can be applied to on-premises and cloud-based applications and supports a variety of third-party applications. It also supports policy-controlled access based on roles, locations, applications and other risk factors.
Our MFA solution is Duo which provides a high level of integrated protection and authentication factors that are more robust than one-time passwords (OTP). Authentication factor options include Duo Mobile application, hard token, voice call, SMS or authenticated push.
This service is delivered using two primary delivery models. The first is a fully managed option available to agencies that utilize OTIS for Active Directory services. The second is an agency-managed model for agencies with their own on-premises Active Directory.
- Key Features and Benefits
- Hosted MFA platform.
- User self-service for enrollment.
- Soft and hard tokens are available.
- Support for a broad collection of third-party applications.
- MFA support for Active Directory and Microsoft Entra ID Conditional Access Policies.
- The MFS support service is staffed during normal business hours.
- The MFA service is available 24x7x365 except as communicated through specific system availability notifications.
- Prevents unauthorized access to systems and data through credential theft and misuse.
- Allows organizations to use advanced security options like Single Sign-On (SSO), which is easier for users but harder for hackers. With SSO, the user performs an initial MFA process to be admitted to their SSO software and gains access to all their required apps and data without entering passwords or credentials each time. This lets users avoid entering passwords multiple times daily, saving them a few minutes each day.
- Improved protection ensures maximum security that doesn’t get in the way of the user experience and productivity.
- Reduces risk from compromised passwords.
- Cloud-hosted single sign-on solution (SSO) solution, which can act as a Security Assertion Markup Language (SAML) 2.0 identity provider or OpenID Connect (OIDC) provider.
- Support and Administration
- Troubleshooting and diagnosis of directory services.
- Exclusions
- Does not provide an authentication method for email.
- Does not allow licensing constituents.
- Does not include radius infrastructure for customer-managed deployments.
- Prerequisites
- Users are state employees or doing business on behalf of a state customer.
- Customer Managed Option: customers are required to purchase an Entra P1 license in order to protect M365.
OTIS and Customer Responsibilities
| Responsibilities | OTIS | Customer |
|---|---|---|
| MFA tenant setup and configuration. |  | |
| Identify and communicate agency administrators to OTIS. | | |
| Identify and communicate accurate licensing needs to OTIS. | | |
| Assign agency administrators to the agency MFA tenant. | | |
| Deploy LDAP server and Active Directory that supports LDAPS. | | |
| Assign agency users to hard tokens (if purchased). | | |
| Provide a standard MFA policy. | | |
| Train agency Duo administrator champion. | | |
| Train agency users to utilize MFA and access control successfully. | | |
| Mobile Duo application deployment OTIS managed MDM devices. | | |
| Test deployment and activation of MFA. | | |
| Test and confirm MFA test status. | | |
| Require MFA for remote user authentication to non-public systems. | | |
| Full deployment and activation of MFA. | | |
| Troubleshooting and issue resolution end-user support. | | |
| Identify and remove inactive users from Duo synced groups. | | |
| Purchase optional hard tokens from vendor. | | |
| Contact MFA vendor for support. | | |
| MFA tenant setup. | | |
| Tenant configuration for initial application. | | |
| Agency application configuration for initial application. | | |
| Identify and communicate agency administrators to OTIS. | | |
| Identify and communicate accurate licensing needs to OTIS. | | |
| Assign agency administrators to the agency MFA tenant. | | |
| Deploy LDAP server and Active Directory that supports LDAPS. | | |
| Assign agency users to hard tokens (if purchased). | | |
| Establish and manage MFA policies. | | |
| Configure MFA support for custom applications. | | |
| Train agency Duo administrators. | | |
| Train agency users to utilize MFA and access control successfully. | | |
| Mobile application deployment. | | |
| Test deployment and activation of MFA. | | |
| Test and confirm MFA test status. | | |
| Require MFA for remote user authentication to non-public systems. | | |
| Full deployment and activation of MFA. | | |
| Troubleshooting and issue resolution end-user support. | | |
| Identify and remove inactive users from Duo synced groups. | | |
| Communicate significant changes in licensing needs to OTIS in advance. | | |
| Purchase optional hard tokens from vendor. | | |
| Contact MFA vendor for support. | |
| Service Level Name | Description | Target Service Level |
|---|---|---|
| Incident Response – Severity 1 and 2 | Means the percentage of time it took for a Severity Level 1 and Level 2 Incidents to be acknowledged and worked by OTIS within the applicable timeframes in the Service Level Definition. | 99.00% |
| Incident Response – Severity 3 and 4 | Means the percentage of time it took for a Severity Level 1 and Level 2 Incidents to be acknowledged and worked by OTIS within the applicable timeframes in the Service Level Definition. | 95.00% |
| Service Request Fulfillment Timeliness | Means the percentage of time OTIS successfully completes “Service Requests” (defined as requests that are not automated self-provisioned or that do not require solution proposal development; examples of such requests include provisioning ID access, password resets, Service Catalog requests, IMACDs) within the applicable timeframes. | 96.00% |
Service Rates
Call for pricing.
Funding for this service is provided from sources that support statewide cybersecurity initiatives. Although MFA service costs are included in statewide DIS initiatives, customers of the services are required to fulfill the customer responsibilities listed above to ensure the service's effectiveness.
Hard Token Purchases: Customer agencies will purchase hard tokens directly from the vendor. Customers may obtain up-to-date hard token pricing directly from the vendor.
Service Contacts
To report issues related to this service, customers should contact the Division of Technology Operations (DTO) Service Desk (servicedesk@admin.sc.gov).
For additional information on this service customers should contact their Agency Relationship Management (ARM) representative or the Program Management Office (pmo@admin.sc.gov).
Estimate Initial Service Delivery Time
The initial service delivery time will vary based on the project scope. Customers should contact their Agency Relationship Management (ARM) representative to initiate the Request for Solution (RFS) process to request a solution and target delivery time.
| Customer Entity Type | Eligible |
|---|---|
| State Agencies | Yes |
| Local Government Entity including Municipality and County | No |
| Higher Education | TBD |
How To Order
Customers should contact their Agency Relationship Management (ARM) representative or the Program Management Office (pmo@admin.sc.gov) to acquire these services.
