Multifactor Authentication for Cardinal Users
The Virginia IT Agency (VITA) will retire the SMS (text message) and phone call options for multi-factor authentication (MFA) for Cardinal login. VITA has indicated these two MFA options will end by early April.
Cardinal recommends setting up the Okta Verify mobile application, however, additional multifactor authentication options are available. Please review the matrix below to distinguish which options are readily available today to all Cardinal users and which multifactor authenticators are controlled at the agency level.
Multifactor Options by User Type
As previously communicated, the Virginia IT Agency (VITA) is retiring SMS (text message) and phone call options for multi-factor authentication (MFA) for login verification. This change is rolling out across COV agencies on a schedule set by VITA. Your agency will share the specific date when this change takes effect for you.
Because your agency is on the COV network, your access rules for Cardinal depend on your location/network connection:
When connected to the COV network: Cardinal can be accessed without MFA. This applies to users in the office or connected to the network via a COV VPN.
When not connected to the COV network: If you are working remotely without a VPN or using a personal device, multi-factor authentication (MFA) is required, use one of the available methods listed below.
Choose Your Multifactor Authentication Method
| MFA Option | Best For | Platform | Notes |
| Okta Verify | Most users at COV agencies | Mobile Application (Version min. iOS17.0/ Android13) | User Self Service - Computer and iOS device - Computer and Android device - Setup using smartphone only (no computer needed) |
| Google Authenticator and Other TOTP Applications (Time-Based One-Time Password) | COV agency users wanting a simple mobile code generator and users with existing apps (Duo, Rapid Identity, Microsoft Authenticator, etc.) | Mobile Application (Version min. iOS16.0/ Android11) | User Self Service Set Up on iOS device Set Up on Android device Note: To enroll Google Authenticator or TOTP apps, users must select the 'Google Authenticator' option and scan QR code |
| Okta FastPass | Users who do not have a smartphone or prefer not to use a smartphone for authentication | Desktop | Agency IT Support |
| Yubikey & Security keys | User requiring a physical hardware security key | Desktop/Mobile | Recommend users reach out to agency IT point of contact VITA Yubikey job aid |
As previously communicated, the Virginia IT Agency (VITA) will retire the SMS (text message) and phone call options for multi-factor authentication (MFA) for Cardinal logins by early April. To avoid being locked out of Cardinal, users must transition to a supported MFA method as soon as possible.
Choose Your Multifactor Authentication Method
The following guidance is for:
- Users at Non-COV agencies
- Users who sign into Cardinal with a personal email address
| MFA Option | Best For | Platform | Notes |
| Okta Verify | Most users at Non-COV agencies | Mobile Application (Version min. iOS17.0/ Android13) | User Self Service - Computer and smartphone - Setup using smartphone only (no computer needed) |
| Google Authenticator and Other TOTP Applications (Time-Based One-Time Password) | Non-COV agency users wanting a simple mobile code generator and users with existing apps (Duo, Rapid Identity, Microsoft Authenticator, etc.) | Mobile Application (Version min. iOS16.0/ Android11) | User Self Service - Computer and smartphone Note: To enroll Google Authenticator or TOTP apps, users must select the 'Google Authenticator' option and scan QR code |
| Okta FastPass | Users who do not have a smartphone or prefer not to use a smartphone for authentication | Desktop | Requires Agency Technical Support |
| Yubikey & Security keys | User requiring a physical hardware security key | Desktop/Mobile | Recommend users reach out to agency IT point of contact VITA Yubikey job aid |
To avoid being locked out of Cardinal, users must transition to a supported MFA method as soon as possible, and no later than April 1, 2026.
Choose Your Multifactor Authentication Method
| MFA Option | Best For | Platform | Notes |
| Okta Verify | Most users | Mobile Application (iOS/Android) | Can be used when accessing Cardinal from a desktop, laptop, smartphone, or tablet. User Self Service |
Google Authenticator or Other TOTP* Applications *Time-Based One-Time Password | Users with existing authenticator apps accessing Cardinal from a desktop, laptop, smartphone, or tablet. | Mobile Application (iOS/Android) | Users will need to choose Google Authenticator as your method; the resulting QR code is compatible with most third-party security apps. User Self Service |
Okta FastPass (now available)
| Users who prefer not to use a smartphone or do not have a smart phone | Desktop | Requires Technical Support – see note below. |
Okta FastPass: To use Okta FastPass as your MFA method, please submit a request to the Help Desk at vccc@vita.virginia.gov with the subject line: 'Cardinal – Okta FastPass'. Our team will attempt to assist with the setup; successful installation may depend on your specific departmental computer policies and configurations.