We are getting notifications that MFA will be required for epicweb, does that extend to the epicor learning center? We have some factories where the users don’t have cell phones for MFA. Does anybody know if this will affect the people who access the learning center from within Kinetic?
We have the same question. Was contemplating logging a support case to ask but haven’t got around to it.
We will probably get a better answer on this forum. 
I logged a case and will report back
It won’t be required for anything other than EpicCare right now.
The bad news. If you have MFA on your Epicor Identity account and use that for EpicCare you get two MFA prompts.
I had some similar questions when I saw that…
Do ADA accomodation options exist? That’s guaranteed to be an issue for some employer downstream of this change.
At smaller company scales, dependence on a device for MFA can become a single point of failure. What does recovering access to support look like if your only account with support access can’t access support?
There’s a KB article on resetting your MFA.
You’d likely have to email the MFA support email or something in that case. Or call into support.
Sorry for interrupting, but I read this and instantly thought…how much wood would a woodchuck chuck if a woodchuck could chuck wood?
You’re dead on though - a failed MFA device could be a showstopper. I’ve seen some that will allow email as a valid onetime code receipt method. Always liked security questions as a fallback too.
I sent them some feedback on it. They claim they’ll pass it on. But we know how that goes.
You never know…sometimes feedback can end up in the right hands.
It’s possible it will get passed onto the right person.
I just don’t even understand the point. Are support cases a high value target for hackers? Logging into epiccare is already a pain. Do we really need to make it even worse? Please, if somebody wants to log into my epiccare and update all my cases, go for it lol.
Security questions are the funniest (in hindsight…) security story I have! A bank started requiring security questions to be populated. Account recovery checked answers with a multiple choice form. Three questions, five options each. Rate limiting didn’t matter, the randomly populated incorrect answers would change with a page refresh. The funny part is, all of the answers I’d provided were random strings. Is my favorite actor Tom Cruise, Fred Astaire, l#^XCEme%Avvd7YGDd&%zAbQx*rHeQ, etc.
The most recent was a bank’s new MFA, a robot calling a phone and reading out a one time security code. It wasn’t clear enough to use reliably, and besides, fat chance I’m depending on SIM for financial security. I asked about ADA compliance and got some pushback. It didn’t take half an hour for legal to catch wind and take over. The bank quickly punched an ad hoc MFA method through their new security just for me.
Got my answer on the ticket
"Hi Mark,
MFA will only be required for users logging into EpicCare, not EpicWeb or the ELC. For EpicCare it will require an authenticator app on a mobile device while logging into the portal.
Please let me know if you have additional questions or concerns."
They’re really not protecting support cases; MFA is required whenever we share secrets. Why? How many users use the same password for multiple accounts? If that password escapes, MFA provides an extra layer of protection - depending on the strength of the MFA of course. Passwords are convenient for humans, but humans are not good at remembering good passwords. And even if they were, adversary in the middle attacks, poor password management practices by solution providers, and local attacks on secret keepers make them very difficult to protect.
Enter what you think is a good “good” password at Have I Been Pwned: Who’s Been Pwned. You may be surprised what you find.
The better security practice involves as many attributes as possible and continuously checking those: is this a known device (i.e. has a certificate installed during registration), is this a normal time of day for this kind of access, is this a significant transactions (add new credential, etc.), does this user normally do this type of transaction, does it pass the impossible travel test (logged into two geographic regions), is this a usual network range, etc.
What if they did and wrote on every case, “You were right. I was wrong”?
You need MFA to access the knowledge article lol.
I got a new phone, set up Authenticator and for some reason am not getting any notifications from Epicor
I am not the only person with access to support but pretty darn close and my partner is not in yet.
It’d be better if it were like the MS MFA where you only get dinged every couple of days or so. It’s already a pain to get to Epicare.
So yeah one phone suddenly not working is a major pain in the kiester. I can’t contact support to fix it either.
Thanks for resurrecting this thread. I have learned that the MFA only persists for a single browser session, even if you mark the box “don’t prompt for 12 hours”. Given the number of times I need to close out my browser session due to application studio failing throughout the day, this is now requiring me to do MFA for Epiccare multiple times per day just to update my support cases which I find frustrating and time consuming. All my other websites that require MFA have a remember my computer setting, so its not tied to a single browser session. I don’t understand why Epicor can’t implement something along these lines. I did attempt to provide this feedback to the epiccare team but they wanted to redirect my case to ice tools to figure out why application studio is failng
My other MFA sites at least offer to send a text if authenticator doesn’t work but here there is no fallback. The knowledge article requiring MFA access is icing on the cake. Not very well thought through.