Department of Defense Education Activity

Non-CAC Secure Access with Multi-Factor Authentication (MFA)

Anytime, Anywhere - Securely.

Download the flyer for Non-CAC Secure Access.

Imagine being able to be mobile and having the flexibility to access resources whenever you need them - even if you do not have your common access card (CAC).multi-factor authentication

For years, DoDEA has required the use of a CAC and pin to verify staff identity. As part of the DoD Digital Modernization and to allow you to access DoDEA resources online while continuing to protect DoD systems and data, staff will setup non-CAC secure access using multi-factor authentication (MFA) through Microsoft 365

How MFA Works: Before your account can be accessed, MFA attempts to prove who you are in multiple ways using passcodes, a phone call and/or other unique factors or actions. This added security allows you to confidently access more DoDEA resources anytime and anywhere - securely.

Multi-factor authentication (MFA) requires that you verify your identity in at least two different ways:

  • Something you know – such as your username and password, a secret code or answers to private questions
  • Something you have access to – such as an access card, phone, email
  • Something you are – such as your fingerprint or iris scan, or DNA

DoDEA-Specific Multi-Factor Authentication (MFA) Approach

The DoD CIO includes multi-factor authentication (MFA) and Cloud solutions under goals within  DoD Digital Modernization Strategy. The Department of Defense's Commercial Remote Environment (CVR) currently being used by over 500,000 Military, DoD Civilians, and Contractors.

For DoDEA purposes, you will use two factors for Microsoft Authentication. Instead of using your CAC, you will enter your username and password as well as use a phone that is unique and accessible to you.

  1. Something you know (username and password), PLUS:
  2. Something you have access to such as your office phone, mobile phone or mobile app for Android or iPhone. Using your office phone to authenticate may limit the flexibility you have to access resources and apps from other locations.  Additionally, an office phone option may not be feasible as DNS numbers are not allowed. DoDEA does not use the information entered for verification for other purposes.

M365 MFA Approval

A strong password is required by DoD policy. Your past word must be at least 15 characters long and contain at least 1 of each of the following: UPPERCASE letter, lowercase letter, number and special character (such as %$@#!&). See instructions on how to reset your password.

You are typically not required to use your phone verification with every login. However, you will be prompted for additional verification if unusual activity occurs, such as using a different computer or device, signing in from another location, or if more than 14 days have passed since you verified your second identification method.

You will continue to need your CAC since most DoD systems still require a CAC and pin.

How does MFA impact you?

You can access more DoDEA resources anytime and anywhere with increased flexibility to online DoDEA resources.

In order to use multi-factor authentication (MFA), you must provide multiple ways to prove who you are. When you attempt to sign-in, you will be prompted for one or more of the identification methods that you supply. You will need to decide which verification method is best for you.

If you forget your password, you may be able to gain access to your account using a series of backup recovery methods that may require that you provide an alternate email or phone number.

You may need to contact the Global Service Desk for assistance if you are unable to use a phone or remember your password. The Global Service Desk is available through the DoDEA network VPN or a non-VPN option.

How to Setup MFA for Teams

Use the Microsoft Authenticator App step-by-step guide.

Frequently Asked Questions (FAQ) - MFA

Will MFA increase my phone bill? – To avoid SMS text or roaming changes, use the Microsoft Authenticator app from the Android or Apple app store. You'll use the code generated by the authenticator app to verify that you are who you say you are. This option does not require internet nor data connection once the app is setup. 

See the setup instructions to start using the Microsoft Authenticator app

How often will I receive a SMS/text? - If you have set up your authentication to call you or if you are using the Microsoft Authenticator app, you will not receive SMS/text. If you have set up your authentication method to receive a text message, you will receive a single text with a code when verification is needed. 

The authentication system is designed to monitor and look for changes in your login. If the system identifies a fluctuation, such as when you log in from a different location, a different browser or different device, it will prompt you to verify that it is you logging in. If you consistently use the same browser from a single device at the same location, you will be prompted for verification much less. There is also an option that will allow you to avoid being prompted for 14 days from the same browser.

Can DoDEA now track my personal device? – The phone information used for authentication is only used to secure your login and verify who you are. DoDEA does not use this information for other purposes. 

Am I now required to have a phone? – Microsoft multi-factor authentication (MFA) can be setup using your office phone, mobile phone or a mobile app for Android or iPhone. Using your office phone for authentication may limit mobility. The phone is used in place of the CAC for “something you have access to” in the multi-factor authentication process. We are researching options for those who do not have a phone readily available. If you do not have a phone, your customer support team member will take your name and open a ticket to support your migration. 

Does MFA mean I will be able to login into DoDEA applications and services on my phone or tablet with no CAC? – Yes. However, not all apps and services will allow non-CAC so you will still need a CAC for some DoDEA and DOD resources or websites.

Is there a security questions and answer option instead of a phone or the app authentication? – No. Phone or mobile app are the only options available for the second verification option at this time.

Need more information?

DoDEA staff may submit additional questions from their @dodea.edu email.

Contact IT Customer Support Services for additional support (VPN & CAC required).
Contact: Nicole McNealy, IT Communications, for questions about this page
Denotes alink that requires CAC Authentication