Multi-Factor Authentication (MFA) Enforcement for Heart of Oregon Corps

Status: APPROVED
Prepared by: Cascade IT
Date: February 11, 2026
Client: Heart of Oregon Corps

Overview

Cascade IT will be implementing Multi-Factor Authentication (MFA) for all Heart of Oregon Corps user accounts to enhance security and protect organizational and participant data. This additional security layer helps prevent unauthorized access even if passwords are compromised.

Applies to: All HOC staff, administrators, and users accessing Microsoft 365 systems

What is Multi-Factor Authentication (MFA)?

Multi-Factor Authentication adds an extra step when users sign into their accounts. Instead of just entering a password, users will also need to verify their identity using a second method—typically a mobile phone.

Simple explanation: Your password is your key, and MFA is the deadbolt. Both are needed to get in.

Why We're Implementing MFA

Research shows that MFA blocks over 99% of automated cyberattacks. By requiring this second verification step, we're protecting:

• Participant and employee personal information
• Financial and donor data
• Organizational communications and documents
• Access to HOC systems and applications

Cybersecurity threats are increasing across all sectors, especially for nonprofits. This change helps ensure that only authorized individuals can access HOC systems and meets industry security standards.

How This Will Affect End Users

Current Login Process:

1. Open email or Microsoft 365 application
2. Enter username and password
3. Access granted

New Login Process (After MFA):

1. Open email or Microsoft 365 application
2. Enter username and password
3. [NEW STEP] Verify identity using phone:
   • Approve a notification on the Microsoft Authenticator app, OR
   • Enter a code sent via text message, OR
   • Enter a code from the authenticator app
4. Access granted

Time Impact: MFA typically adds 5-15 seconds to the login process.

Getting Started with MFA

Step 1: Install Microsoft Authenticator (Recommended Method)

For iPhone:

1. Open the App Store
2. Search for "Microsoft Authenticator"
3. Download and install the app

For Android:

1. Open the Google Play Store
2. Search for "Microsoft Authenticator"
3. Download and install the app

Step 2: Register MFA Method

Users will be prompted to set up MFA the next time they sign in after enforcement begins:

1. Sign in with username and password as normal
2. Prompt displays: "More information required"
3. Click Next
4. Choose preferred verification method:
   • Microsoft Authenticator app (Recommended)
   • Text message to mobile phone
   • Phone call to mobile phone

Step 3: Complete Setup

If using Microsoft Authenticator app:

1. Open the app on mobile phone
2. Tap the + button
3. Select Work or school account
4. Scan the QR code shown on computer screen
5. Complete the test verification

If using text message:

1. Enter mobile phone number
2. Receive text with verification code
3. Enter code on computer
4. Complete test verification

Daily Usage: What to Expect

Once MFA is configured, typical sign-in process:

Using Microsoft Authenticator (Easiest):

1. Enter password
2. Check phone for notification
3. Tap Approve
4. Access granted

Using Text Message:

1. Enter password
2. Receive text message with 6-digit code
3. Enter code on computer
4. Access granted

Frequently Asked Questions

Q: What if a user doesn't have a smartphone?
A: Contact Cascade IT support. We can configure alternative verification methods such as phone call to landline or office phone.

Q: Will users need to verify every single time they log in?
A: No. If users select "Don't ask again for 90 days" on trusted devices, verification will only be required occasionally. MFA will still be required when logging in from new devices or locations.

Q: What if a user loses their phone or gets a new one?
A: Users should contact Cascade IT immediately. We will reset MFA settings and assist with setup on the new device.

Q: What if a user is traveling or doesn't have cell service?
A: The Microsoft Authenticator app generates codes that work even without internet or cell service. We recommend users set this up before traveling.

Q: What if a user doesn't receive the notification or text message?
A: Troubleshooting steps:

• Check that phone has service
• Verify Microsoft Authenticator is installed and up to date
• Check if notifications are allowed for the Authenticator app
• Select "I didn't get a notification" and request a new code
• Contact Cascade IT if issue persists

Q: Is personal phone number data stored or shared?
A: Phone numbers are only used for MFA verification and are stored securely by Microsoft. They are not shared with third parties.

Q: Can users use the same authenticator app for multiple accounts?
A: Yes. Microsoft Authenticator can manage multiple accounts (personal email, work accounts, etc.) in one app.

Support Information

Cascade IT Support:

• Email: support@cascadeits.us
• Phone: +1 (541) 241-8233
• Support Hours: 8:30am-5:00pm M-F

Cascade IT will provide full support during the MFA rollout and ongoing assistance.

Additional Resources

• Microsoft Authenticator Setup Guide: https://aka.ms/mfasetup
• Cascade IT Support Portal: https://support.cascadeits.us/portal/en/home

Notes for HOC Leadership

• Implementation timeline to be determined based on HOC's operational schedule
• Cascade IT recommends 30-day notice period for users before enforcement

Document Status: APPROVED
Version: 1.0
Prepared by: Cascade IT
Client: Heart of Oregon Corps
Date: February 11, 2026