Multi-factor Authentication — Frequently Asked Questions

Multi-factor authentication (MFA) refers to an additional layer of security that is added to the login process. MFA relies on two forms of authentication: something you know, and something you have with you. The something you know is your password. The something you have with you can be a mobile device or software token. This means that even if your password is hacked, your account will remain secure.

Cybercriminals are getting bolder about compromising the valuable data held within systems across the globe. Authenticating to technology systems with a username and password alone leaves your account vulnerable to hijacking attempts. Cambridge and many private organizations (like financial institutions, universities, and Amazon) are implementing stronger layers of cybersecurity in the form of more modern and secure access methods. MFA secures the environment, the people in it, and the devices they're using without requiring cumbersome resets or complicated policies.

Cambridge needs to meet the security requirements of our technology partners and regulatory bodies to provide the best technology solutions in a secure and efficient manner.

Cambridge will provide a Time-based One-time Password (TOTP) serving as a single-use passcode typically used for authenticating users. The user is assigned a TOTP generator delivered as a software token often installed on a computer or mobile device. The generator implements an algorithm that computes a one-time passcode using a secret key shared with the authentication server and the current time – hence the name “time-based.” The passcode is displayed to the user and is valid for a limited duration. Once expired, the passcode is no longer valid. The user enters a valid passcode into a login form, typically together with their username and regular password.

Delivering MFA codes via email, text messages, or phone calls are not allowed because these methods are inherently vulnerable to interception, spoofing, and other attacks. These methods do not meet the security requirements of many of our partners.

Users will be asked to enter their email address and password as they normally would. After this step, the user will be prompted to enter the six-digit code displayed in the authenticator application.

Refer to our MFA Setup Guide for step-by-step direction.

All financial professionals, financial professional staff, third-party vendors, and home office associates that log in to cir2.com are required to use MFA going forward.

You will need to use the MFA process when accessing cir2.com and any ancillary applications accessed from the site that provide single sign-on (SSO).

Initial rollout will require MFA once per day. The roll over time for re-authentication is daily at 4:00 a.m. CT.

Please contact the CLIC Tech Team (clictech@cir2.com) at 800-777-6080 x3348 to reset your MFA user account.

Please contact the CLIC Tech Team (clictech@cir2.com) at 800-777-6080 x3348.

No, the authenticator app should be on a secondary mobile device. By using the authenticator app on a mobile device separate from your primary device, you are helping to protect your account even if one of your devices is stolen. 

Currently, an internet or cellular data accessible mobile device (including an iPad or tablet) is required for multi-factor authentication.

Please contact the CLIC Tech Team (clictech@cir2.com) at 800-777-6080 x3348 to reset your MFA user account. Once completed, you will be required to reestablish the authenticator on the new mobile device.