How to Use Multi-Factor Authentication

To meet security requirements established by CMS, NGS implemented MFA for all NGSConnex users. Below is some important information to assist you with MFA.

What is MFA?

MFA is the use of two or more different authentication factors to verify the identity of a user. When you login to NGSConnex the first authentication factor you use to verify your identity is your user ID and password. MFA will require a second, completely separate authentication method.

How will I obtain a MFA passcode?

Each day when you log into NGSConnex, you will be prompted to request a MFA passcode. You have the option to receive this code via email or text message to your mobile phone associated with your User Profile. The MFA passcode that is generated will expire each day at 11:59 p.m. ET.

MFA FAQs

1. What is multi-factor authentication or “MFA”?
   
   Response: MFA is a CMS-required security mechanism used to verify the identity of a user. One authentication factor is the password that goes along with your NGSConnex User ID. MFA adds an extra layer of protection and will require a second, completely separate authentication method.
   
   
2. Is MFA mandatory to access information in NGSConnex?
   
   Response: Yes. Per CMS security requirements, MFA is required for all providers who access patient information and perform Medicare transactions in NGSConnex.
    
3. How do I verify the email address or mobile number associated with my User Profile in NGSConnex?
   
   Response: To review and update your email address, mobile telephone number or mobile carrier in the My User Profile tab, log into NGSConnex and follow these steps:
   • Click on the “My User Profile” tab
   • Click the “Edit” button
   • Update your email address in the “Email” field, your mobile number in the “Mobile number” field, or your mobile carrier by clicking the drop-down arrow
   • Click the “Save” icon

Note: If you update your email address in the My User Profile screen you will be prompted the next time you login to NGSConnex to again verify the email address.

4. If the User does not receive the daily MFA security passcode what should they do?
   
   Response: Verify the method the MFA security passcode was requested (i.e., email or text message). If email was the method used, the user should check spam or junk folders to see if the email message was intercepted. If that is not the case, the user should add National Government Services and No.Reply@NGSMedicare.com to their email address safe sender list and then request a new security code. If text message was the method used, the user should verify the mobile number and mobile carrier associated with their User Profile is accurate. If the security code for MFA is not received after taking these steps, the user will need to contact the National Government Services Provider Contact Center for their line of business and select Option 5.

5. Does the User need to request and enter a new MFA passcode each time they login to NGSConnex?
   
   Response: No. The user will request a daily numeric MFA security passcode the first time they login for the day. The daily MFA security passcode will be valid for 24 hours, and expire at 11:59 p.m. ET. The user will use the daily MFA security passcode each time they login during that 24-hour period.
    
   

6. What should a user do if the daily MFA security passcode is misplaced before the end of the day?
   
   Response: The user may request a new MFA security passcode when they log into NGSConnex and follow these steps:
   
   The user will then be presented with the multi-factor authentication screen. If a MFA security passcode is needed the user should click the Email Security Code or Text Security Code button. This will generate an email/text to the user, and will include the previously requested daily MFA security passcode that will be entered in the Enter Security Code field on the multi-factor authentication screen. The daily MFA security passcode will be valid for 24 hours, and expire at 11:59 p.m. ET.
   

1. • Read the standard disclaimer and click I Agree to continue.
   • Enter your ID in the User ID field.
   • Enter your password in the Password field.
   • Click OK.

7. Will a user be locked out of NGSConnex if the daily MFA security passcode is entered incorrectly more than three times?
   
   Response: No. An NGSConnex user account will not be locked due to incorrectly entering a daily MFA security passcode. The daily MFA security passcode must be entered correctly before access to NGSConnex is granted.
    

8. If the daily MFA security passcode requested does not work what should the user do?
   
   Response: The user should verify the daily MFA security passcode is being entered correctly (i.e., correct number of characters, correct format, etc.) if the user verifies the code they are entering is correct but are still unable to access NGSConnex, the user may request a new daily MFA security passcode when they log into NGSConnex and follow these steps:

The user will then be presented with the multi-factor authentication screen. If a new daily MFA security passcode is needed the user should click the Email Security Code or Text Security Code button. This will generate an email/text to the user, and will include the daily MFA security that will be entered in the Enter Security Code field on the multi-factor authentication screen.

If after requesting a new daily MFA security passcode and the user is still unable to access NGSConnex the user should contact the National Government Services Provider Contact Center for their line of business and select Option 5.

1. • Read the standard disclaimer and click I Agree to continue.
   • Enter your ID in the User ID field.
   • Enter your password in the Password field.
   • Click OK.

9. Is there a limit to the number of daily MFA security passcodes a user can request in a 24-hour period?
   
   Response: No.
    
10. Will validation be in place to ensure the NGSConnex user is entering an accurate email verification security code or daily MFA security passcode?
    • Correct format and number of characters
    • Matches user ID
    • Not an MFA code from a previous day
    • Etc.

Response: If the MFA security passcode cannot be verified regardless of the reason the user will receive an error message that states: “Invalid Security Code. Please refer to the code received in your email”.
 

11. Will NGSConnex users be able to share daily MFA security passcodes when accessing NGSConnex?   
    
    Response: No.The daily MFA security passcode is unique to the NGSConnex user and may not be shared.
     
12. Is there a setting in NGSConnex to allow the user to automatically receive a daily MFA security passcode via text message or email?
    
    Response: No. The user must request the daily MFA security passcode daily, when they initially login to NGSConnex.