MFA requirements are based on your network connection and your user type:

1. Are you on the COV Network?

Agencies within the Commonwealth of Virginia (COV) network, whose users are managed through VITA, are considered COV agencies/users.

• In the Office or on VPN: If you are working on the COV network (in person or via VPN), you will not be prompted for MFA.  
• Working Remotely: If you are at home or using a personal device without a VPN, you must use MFA to log in.  

2. Are you a "Non-COV" User?

Certain users are considered Non-COV and will always be prompted for MFA at login. This applies to you if:  

• Your agency is not a part of the COV network.
• You are a locality Cardinal user.
• You use a personal email address to log in to Cardinal.

To determine if your agency is considered "COV" or "Non-COV", refer to the Agency Network Status list.

There are three ways to manage your MFA settings:

• During Registration: Non-COV users and those with personal email addresses must register to log in to Cardinal. COV users with an agency provided email address do not need to register.
• At Your Next Login: If you have not set up a supported MFA method yet, you will be automatically prompted to enroll the next time you log in from an off-network connection.
• Via the Okta Dashboard: For users who want to add second backup method or change their existing setup, you can manage your security method settings at any time through your Okta Dashboard (https://virginia.okta.com).

There are four supported MFA options for Cardinal login. Select the option that works best for your equipment. Setup instructions are provided below this FAQ section.