MFA frequently asked questions

Frequently asked questions

CT.Gov User Choice based MFA - Why do we need it?

MFA enhances security by requiring users to provide multiple forms of identification, adding an extra layer of protection beyond just passwords. The user can choose the additional form of identification from the given options (check FAQ #5). This helps prevent unauthorized access, safeguarding sensitive information and accounts from potential threats.

Is it mandatory for me to enable MFA?

No, it is not mandatory to enable MFA. You can enable or disable MFA at any time as per your preference.

How do I enroll for MFA based login?

There are 2 ways to enroll for MFA based login. Follow this guide for more information.

During the log in process.

Occasionally, you will be prompted to enroll for MFA during the log in process.
Click on “Yes” when prompted.
You will be presented with all the available methods of MFA.
Pick your preferred mode for MFA and click on continue.

From the Profile Dashboard page.

Browse to the “Login and Security” section of the Profile Dashboard.
Enable the “MultiFactor Authentication” toggle.
You will be presented with all the available methods of MFA.
Select one of the available methods and click on save button.

Do I need to verify my email address in order to enroll for MFA?

Yes, for your account to be able to enroll for MFA, email address needs to be verified. You can do so either during the log in process - when you are prompted to verify your email, or by browsing to the “Personal details” section of the profile dashboard & verifying the email address.

What methods are supported for MFA based login mechanism?

CT.gov supports the following methods for MFA:

MFA method	Details
Email	One Time Password (OTP) for login will be sent to your email address
SMS	OTP for login will be sent to your phone number via SMS/Text
Phone call	OTP for login will be sent to your phone number via a phone call
Authenticator app	OTP will be generated in your smartphone's authenticator app every 30 seconds

Do I need to login to all services with MFA?

No, you do not need MFA to access all the services provided by CT.gov. However, there are some applications that require MFA to be accessed.

What is Authenticator App based MFA?

An authenticator app adds extra security to your CT.gov account. It's like a secret code that changes regularly, making it tougher for unauthorized access, even if your password is known. The authenticator app, installed on your smartphone, generates time-sensitive, one-time codes. You will have to input the code generated by the authenticator app as the second factor when prompted during the login process. This significantly reduces the risk of unauthorized access.

One of the best features of Authenticator App based MFA is, once set up on your smartphone, you don't need Internet to receive OTPs. They will be generated for you on the app.

What authenticator apps are supported for MFA?

All authenticator apps work with CT.Gov accounts. However, CT.gov recommends using popular authenticator apps such as Google Authenticator or Microsoft Authenticator. Be cautious of third-party authenticator apps that are not widely recognized. They may not provide the same level of security as reputable alternatives.

How can I de-register and re-register my authenticator app?

The authenticator app can be configured and unconfigured through the CT.Gov Profile Dashboard page. Follow this guide for more information.

Login to your CT.Gov application and navigate to User settings or Manage my Account page.
Select the “Login and Security” tab on the left.
If you have previously configured authenticator for MFA, you will see the “Authenticator“ configured.
Click on the “Unconfigure“ link to deregister the current configured authenticator.
Similarly, if you want to re-register another authenticator app, on the same tab, click on the “Configure” link.
Follow the steps to scan QR code, provide the OTP to successfully configure the authenticator app again.

Once the authenticator app is re-configured, you would be able to use the newly configured authenticator for MFA.

Do I need to own a smartphone to use MFA with ct.gov?

CT.gov provides you the flexibility to use your smartphone for securing your account through MFA. You can configure authenticator-based MFA with your favorite authenticator app to secure your account through MFA.

All the industry leading authenticator apps are compatible tobe used for MFA.

However, if you do not own a smartphone, you need not worry at all. We also provide email, SMS and phone-based MFA so that you can receive OTPS over these channels and secure your account through MFA.

What phone numbers are supported by the platform?

Please note that only United States number is considered valid for receiving OTPs. When you configure your phone number for MFA, you would be asked to validate your US based phone number through OTP over SMS. Once the OTP is validated, only then this number can be further used for MFA purposes.

How to disable MFA?

We highly recommend that you secure your CT.Gov account with MFA using your preferred channel, however if you would like to discontinue with MFA, you can do it through the CT.Gov profile dashboard page.

Login to your CT.Govapplication and navigate to User settings or Manage my Account page.
Select the “Login and Security” tab on the left.
You will see a toggle button for Multifactor Authentication in Enabled state.
Click the toggle button to disable MFA. Make sure to click “Save” to save your changes.
Once saved, you would no longer be prompted for MFA to login to your CT.Gov account.

However, if your CT.Gov application requires that one cannot access the application without MFA, you would still have to go through email or SMS based MFA before you can access the application. Follow this guide for more information.

What does trusting a device mean from an MFA perspective?

During the MFA login process, once you have successfully completed the MFA login process, you would be prompted to trust the device that is being used. By trusting the device, you can avoid getting MFA prompt for future logins using the same browser on the same device. However, you will be prompted to perform MFA if you choose a different browser or a different device or both.

How can I remove a device from trusted device list?

As you change device, you might want to remove device(s) that have been trusted before. Follow this guide for more information. Or, to remove a device, do the following:

Complete your login and navigate to the CT.Gov profile page - https://login.ct.gov/ctidentity/profile
Click on Login and security displayed on the left panel.
On the right you will find the list of trusted device(s) that has already been enrolled.
Click on Remove device to initiate removal of the device.
You will be prompted to confirm the removal of your device. Select YES to remove the device.

Why is SMS/ Call options greyed out in my profile screen when I wanted to opt in for MFA?

This is because you might not have configured a phone number for your account yet. Follow this guide for more information. Or, follow the below steps to configure it:

Complete your login and navigate to the CT.Gov profile page - CT.GOV-Connecticut's Official State Website
Click on Login and security displayed on the left panel
On the right under MFA Preference you will find that your SMS and Call options are disabled.
Click on Add number option to start adding a phone number. Note you can only add a US based mobile number.
On the Add number pop up enter your mobile number and click NEXT.

Enter the One Time Code received on your mobile over SMS on the next screen and click on VERIFY to complete the process.

Why is Authenticator option greyed out in my profile screen when I wanted to opt in for MFA?

This is because you might have not configured Authenticator App with your CT.govaccount yet. Follow this guide for more information, or the following steps to configure it:

Click on 'Configure' button beside the Authenticator option.
Proceed with the steps shown on your screen to set up your authenticator app.
Enter OTP shown in your authenticator app.
After successfully configuring authenticator app, you will be able to select the Authenticator option.