Crescent Services has joined the CPC website so all our customers can access our frameworks and services in one place! Learn more 

CPC Swoosh

A guide to Multi-factor Authentication (MFA)

What is Multi-factor Authentication (MFA)?

Multi-factor Authentication (MFA) is an electronic authentication method that grants a user access to a website or application only after successfully presenting two or more pieces of evidence (or factors) to an authentication mechanism.

In the context of your CPC account, this typically involves:

  1. Something you know: Your standard email address and password.

  2. Something you have: A unique, time-sensitive six-digit code generated by an authenticator app on your smartphone (such as Google Authenticator, Microsoft Authenticator, or Authy).

Why is MFA important?

MFA is a critical layer of security designed to protect your sensitive data and organisation details. Standard passwords can often be compromised through data breaches, phishing, or simple guesswork.

By enabling MFA, even if a malicious actor manages to obtain your password, they will still be unable to access your account without the physical device linked to your profile. This significantly reduces the risk of unauthorised access, identity theft, and fraudulent activity within the CPC procurement framework.

How do I set up MFA?

To set up MFA for your CPC account, you need to enable it in your User Profile. Follow these steps:

  1. Access Settings: Log in to your account and click on your name in the top right-hand corner, then select 'Profile'.

  2. Enable Feature: Scroll down to the 'Two Factor Authentication' section and click the 'Enable' button.

  3. Confirm Password: For security reasons, you will be prompted to re-enter your account password.

  4. Scan QR Code: Open your chosen authenticator app on your phone and select the option to "Add a code" or "Scan QR Code". Point your camera at the QR code displayed on your CPC profile page.

  5. Verify Setup: Enter the six-digit code shown in your app into the CPC platform to confirm the link is active.

  6. Store Recovery Codes: Once enabled, you will be shown a list of 10 Recovery Codes. It is vital that you download or print these and store them in a secure location (such as a password manager). These are the only way to access your account if you lose your phone.

How do I reset my MFA?

If you have lost access to your MFA codes and your one-time recovery codes (the 10 codes provided upon activation), you will need to contact our helpdesk to regain access to your account.

To request a manual reset:

The Verification Process

Because MFA is a critical line of defence against your password or email being compromised, resetting it is a rigorous process by design. To protect your organisation’s data, our helpdesk team will:

  1. Send a verification email to your registered address to initiate the process.

  2. Verify your identity through secondary means. This may include a scheduled phone call, checking identification documents (such as a driving licence), or physical correspondence sent to your registered organisation address.

Once your identity has been successfully verified, we will reset your MFA settings, allowing you to log in and set up a new device.

Tips for Future Access

To avoid the need for a manual reset in the future, we recommend the following best practices:

  • One User, One Account: Ensure every staff member has their own login. Sharing accounts significantly increases the risk of being locked out.

  • Use a Password Manager: Modern password managers (like 1Password or Bitwarden) can store your MFA "secret key" alongside your password, providing a digital backup if you lose your phone.

  • Secure Your Recovery Codes: Treat your 10 recovery codes like cash. Store them in a secure, offline location or an encrypted digital vault.

  • Manage Notifications: If you are concerned about receiving too many Quote Tool notifications, these can be managed individually within your profile settings. You do not need to share an "Admin" account to manage high volumes of email.