Two-Factor Authentication

Also called multi-factor authentication (MFA), TFA keeps content and data on Mass.gov safe and secure.

Two-Factor Authentication (2-factor for short, sometimes called multi-factor authentication or 2-step verification) is a security system designed to protect online information using more than one method of verifying your identity.

We use 2-factor in our login process for the Mass.gov content management system (CMS), Github, certain iFrames, and more. Hackers are constantly looking for ways to exploit weak networks in order to gather or change sensitive information and create headaches for your agency. Our 2-factor authentication is an important part of keeping content and data on Mass.gov safe and secure.

Here’s how 2-factor works for the Mass.gov CMS.

  • When you set up your Mass.gov account, we ask you to download a 2-factor app to your smartphone. You don’t need a state-issued device, your personal phone will work just fine. There are several free options, including Google Authenticator, Authy, and FreeOTP. 

  • After you’ve downloaded an app and set up an account, you’ll scan a QR code to connect your new 2-factor account with your Mass.gov account.

  • The app will also give you a static list of one-time use codes that you can use to log in to your account if you lose your device. We recommend you print these one-time use codes and keep them in a safe place, in case you ever need to access your account but don’t have your authenticated device handy.

  • Once you’ve connected your Mass.gov account to the 2-factor app, the app will generate a random 6-digit number every 30 seconds.

  • When logging in to Mass.gov, you’ll need to enter this code after submitting your normal password.

  • This way, even if your password were stolen, a hacker couldn’t log in to your Mass.gov account and change web pages or gather information, because they wouldn’t have your 2-factor-enabled smartphone with this 6-digit code.

New users are required to set up TFA when logging in for the first time. If you don't, you'll need to make a ServiceNow request to have your account reset before you can log in again.

These 2-factor authentication accounts are device-specific, so if you get a new phone you’ll need to set up your 2-factor again. Desktop versions of 2-factor are also available, but we recommend using a smartphone. That way, you can log in to your account on any device on an approved network. The desktop version would only work for logging in on a specific computer.

If you ever have any trouble with your 2-factor authentication, don’t hesitate to submit a ServiceNow request. You can set up 2-factor with your personal accounts as well, to better secure things like bank accounts and social media logins. We recommend you use it whenever possible to protect your information.