FAQ: 2-step authentication

Common user questions that support the 2-step authentication feature and enrollment process.

Why is Availity changing its authentication process?

To improve platform security and align with updated cybersecurity standards, Availity is phasing out SMS and voice-based authentication methods. These methods are increasingly vulnerable to threats like SIM swapping and phishing.

Availity is aligning with guidance from the National Institute of Standards and Technology (NIST), which no longer recommends SMS and voice as approved 2-step authentication methods. By transitioning to app-based authenticators and hardware tokens, Availity intends to ensure a more secure and more reliable authentication experience for all users.

What is changing?

Availity Essentials is updating its 2-step authentication process. SMS and voice options will be removed in phases, and users will instead authenticate using an app-based method (e.g., Google Authenticator or Microsoft Authenticator), browser-based method, or hard token.

This change applies to all Availity Essentials users.

Note: This change does not affect users who access Availity through Essentials Pro or users who use Single Sign-On (SSO) to access Availity. No action is required for these users.

What is 2-step authentication?

2-step authentication is when you give Availity permission to send you a code to make sure that the person using your account is actually you. 2-step authentication requires that you verify your identity using two methods, typically by providing something you KNOW, like a password, using something you HAVE, like a phone or code.

Why does Availity require 2-step authentication?

2-step authentication provides another checkpoint to validate that people logging into Availity Essentials are who they say they are. Regulated industries such as health care and banking are increasingly using 2-step authentication for data privacy and security.

Does everyone at my office have to do 2-step authentication?

Every Availity Essentials user is required to enroll in 2-step authentication.

How does 2-step authentication work?

2-step authentication requires you to register either a mobile or browser extension-based authenticator app (i.e., Google Authenticator) or a hard token, also known as a security token or authorization token.

The method you choose delivers a code for select situations (such as logging in to the Availity Essentials from a new device).

Tip: If you lose access to your 2-step authentication method, you can enroll in more than one method of delivery for your code.

What authenticator app should I install?

A few common authenticator apps are developed by Google™ and Microsoft™ for mobile devices and Authy™ for mobile, desktop, and laptop computers. For security, ensure that you only install your authenticator app directly from the developer's website or from the Android or Apple application stores.

• To install Google Authenticator™, visit the Apple Store or the Android Google Play store and download the official apps. Review instructions on Google's website for Android or iPhone/iPad.

• To install Microsoft Authenticator™, visit the Apple Store or the Android Google Play Store and download the official apps. Review instructions on Microsoft's website.

• To install the Twilio Authy™ 2-factor authenticator, visit the Authy website or download for your mobile app with Google Play or Apple App Store.

What are backup codes and how should I use my backup codes?

A backup code serves as an alternate or backup method to authenticate your Availity user account to log in to Availity Essentials. Availity recommends that you only use a backup code when you have misplaced the original device you selected when you enrolled in 2-step authentication for the first time.

I have entered my code incorrectly too many times, how do I log in to Availity Essentials?

If you enter the code incorrectly too many times, you will be temporarily locked out of your user account. You will be directed to the Availity login page where you can reset your password. Once your user account is reset, you can log back into Availity Essentials, and then enter the code to authenticate your user account.

What if my office does not allow mobile phones on site?

If your organization restricts mobile phone use in the workplace, there are still secure alternatives for completing 2-step authentication:

1. Install an authenticator browser extension (e.g., for Chrome or for Edge). Your IT team may need to assist with installation and setup.

2. Use a hard token device. Also known as a security token or authorization token, these physical devices may be purchased separately and may incur a cost.

3. Set up an inbound SSO (Single Sign-On) with Availity. This option will require the involvement of your Availity technical representative and may involve additional configuration and associated costs.

In general, Availity recommends that you work with your internal IT administrator to determine which option is best suited for your environment.