Getting StartedHow-To GuidesTips & TricksGlossaryFAQ

How-To Guides — IT Admin

MFA Configuration

How to enable multi-factor authentication for your agency, choose which methods are available, and enforce MFA so individual users can't opt out.

IT Admin

CJIS compliance requires MFA

If your agency accesses Criminal Justice Information Services (CJIS) data through APBnet, multi-factor authentication is required under the CJIS Security Policy. MFA must be enforced at the agency level — individual users cannot be allowed to opt out. Enable and enforce MFA before users begin accessing the platform.

Before you start

  • You need the IT Admin role to configure MFA settings.
  • Decide which MFA method(s) your agency will use before enabling. Changing methods after users are enrolled may require them to re-enroll.
  • Communicate the change to users before enforcing — give them time to enroll before the enforcement deadline.

Steps

  1. 1

    Open IT Admin Settings and select MFA Configuration.

    Screenshot pending

    how-to/it-admin-mfa-panel.png

    IT Admin MFA Configuration panel showing available MFA methods with enable toggles and the agency-wide enforcement setting

    1100 × 560

    IT Admin MFA Configuration panel showing available MFA methods with enable toggles and the agency-wide enforcement setting
  2. 2

    Choose which MFA methods to allow.

    APBnet supports two MFA methods:

    • Authenticator app (TOTP) — generates time-based codes using apps like Google Authenticator, Authy, or Microsoft Authenticator. Preferred for CJIS compliance — not dependent on mobile carrier availability.
    • SMS verification — sends a one-time code by text message. Easier for users with limited technical comfort, but requires mobile signal and a registered phone number.

    You can allow both methods and let users choose, or restrict to one method. Toggle each method on or off.

  3. 3

    Enable MFA and set enforcement to Required — all users.

    With enforcement set to required, users must complete MFA enrollment before they can access APBnet. Users who have not yet enrolled are prompted at login. They cannot skip or defer enrollment once enforcement is active.

    Screenshot pending

    how-to/it-admin-mfa-enforce.png

    IT Admin MFA settings with enforcement toggle set to 'Required — all users' and the enrollment status summary visible

    1100 × 480

    IT Admin MFA settings with enforcement toggle set to 'Required — all users' and the enrollment status summary visible
  4. 4

    Monitor enrollment status.

    The MFA panel shows how many users have enrolled vs. pending. Follow up with users who haven't enrolled — especially before any deadline tied to a compliance review.

Tips

Give users a grace period before enforcing

Enable MFA and allow users to enroll voluntarily for a week or two before switching enforcement to required. Users who are prompted without any warning are more likely to get stuck and call for help. A heads-up and a brief instruction message prevents most support requests.

Prefer authenticator app for CJIS environments

SMS-based MFA depends on mobile carrier availability — it doesn't work in dead zones or on agency-issued devices without mobile plans. Authenticator apps generate codes offline and are the more reliable option for field environments and CJIS compliance.

Lost device process

If a user loses their MFA device and can't log in, contact APBnet support to reset their MFA enrollment. The user will need to re-enroll with their new device. There is no self-service bypass — this is by design for security.

Related guides

Configuring Allowed Domains & Whitelisting

Set up allowed email domains and network whitelisting alongside MFA.

Read the guide →

Managing Device Access Controls

Control which devices are authorized to access APBnet.

Read the guide →

Program Admin: Controlling Feature Access

Feature-level settings sit with Program Admin — a separate role from IT Admin.

Read the guide →