WSIPC MFA Guidance for Skyward SMS 2.0 and Qmlativ
What MFA options are currently supported in Skyward SMS 2.0 and Qmlativ?
- Both systems support native MFA using One-Time Password (OTP) apps like Google Authenticator, Microsoft Authenticator, Authy, and LastPass Authenticator as well as integration with Microsoft and Google SSO with MFA enabled. Hardware tokens are not yet available, but are on the roadmap for Qmlativ. Currently Qmlativ also supports using an email “callback” as an MFA option.
Is MFA required for all users, or just for administrative roles?
- Currently, MFA is optional but strongly recommended. In SMS 2.0, districts are encouraged to start with high-risk accounts (e.g., system-wide users, FIN/HR access). In Qmlativ, MFA is mandatory for employees accessing sensitive data.
Can MFA be enforced by district policy or does it require WSIPC configuration?
Districts can enforce MFA locally via Authentication Configuration settings in Skyward. WSIPC plans to audit MFA implementation and require risk acceptance documentation for non-compliant districts for the 2025–2026 school year. The vendor will force MFA implementation by the 2026-27 school year.
How do users enroll in MFA for the first time?
- Users are prompted to enroll in MFA during login if it's required. Enrollment involves logging in with username/password, setting up an OTP app (e.g., scanning a QR code), and re-authenticating based on expiration settings.
- Admins configure MFA via:
- Product Setup > Skyward Contact Access > Security > Users (SMS 2.0)
- Administrative Access > Security > Codes - Multifactor Authentication (Qmlativ)
What should users do if they lose access to their MFA device?
- Users can use the 'Remove Device' option to reset trusted devices or contact district IT or your regional support teams for recovery assistance.
Is there a way to bypass MFA temporarily for troubleshooting or emergencies?
- Yes. Admins can uncheck the 'Require MFA' box for specific users in Authentication Configuration or reassign users to security groups without MFA temporarily. This should be used cautiously and logged for audit purposes.
Does MFA work with single sign-on (SSO) integrations like Azure AD or Google Workspace?
- Yes. Qmlativ supports SAML 2.0-based SSO with providers like Microsoft Entra ID (Azure AD) and Google Workspace. MFA can be layered on top of SSO using the identity provider’s MFA policies.
Are there audit logs or reports showing MFA usage and compliance
- Yes. Both SMS 2.0 and Qmlativ offer a Security Audit Report Tool:
- SMS 2.0: Product Setup > Security > Reports > Security Audit
- Qmlativ: Administrative Access > Security > Utilities > Security Audit
This free tool helps districts monitor MFA settings, password policies, and other security configurations.
Can MFA be customized per user group or role in Qmlativ or SMS?
- Yes. MFA can be enforced at the Security Group level, allowing districts to apply it to specific roles (e.g., admin, finance, HR). LDAP group integration also supports automated role-based MFA enforcement in Qmlativ.
What support does WSIPC offer for MFA setup and troubleshooting?
- WSIPC provides tiered support via service calls and email, training resources and onboarding guides, and compliance audits and follow-up communications. Districts can contact WSIPC at info@wsipc.org or 425-349-6600 for assistance.
What is forcing us to move to MFA for logins?
