# Mandatory MFA - July 2026

From 31 July 2026, every user signing in to Crisisworks will be required to complete a multi-factor authentication (MFA) check at every sign-in. This applies to all users — those signing in with a username and password, and those signing in through single sign-on (SSO).

Today, MFA is optional and most users sign in with a password alone. After the change, a password alone will no longer be sufficient.

The change is part of Datalink's commitment to align Crisisworks with the Australian Cyber Security Centre's Essential Eight Maturity guidance on multi-factor authentication. It materially reduces the risk of account takeover from leaked or reused passwords — the most common attack faced by services like Crisisworks. 

### Key concepts <a href="#key-concepts" id="key-concepts"></a>

* **Multi-factor authentication (MFA)** — a security check that uses two pieces of evidence to confirm you are who you say you are: something you know (your password) and something you have (your mobile phone). The check happens at sign-in.
* **SMS code** — by default, MFA is performed by sending a one-time code to your mobile phone via SMS, which you enter at the sign-in screen to complete the check.
* **TOTP / authenticator app** — an optional alternative MFA factor available through the existing MFA self-management screen. You can add an authenticator app (such as Google Authenticator) as an additional second factor.
* **Primary site** — every user has a primary site, which is the site that administratively manages them. The primary site is also the place where MFA recovery happens if the user loses their phone.
* **Recovery** — the documented process by which a site administrator helps a user re-establish MFA after losing access to their device, including proof of identity.

### What the user experience will look like <a href="#what-the-user-experience-will-look-like" id="what-the-user-experience-will-look-like"></a>

For most users the change is small and concentrated at one moment — the first sign-in after 31 July.

#### Username / password users <a href="#username-password-users" id="username-password-users"></a>

At your first sign-in after activation:

* You enter your password as usual.
* You receive a one-time code via SMS to the mobile number your site administrator has on file for you.
* You enter that code on the sign-in screen and proceed normally.
* The system remembers that your phone is now confirmed. Future sign-ins continue to involve an SMS code, but the friction is small.

#### SSO users <a href="#sso-users" id="sso-users"></a>

At your first sign-in after activation:

* You sign in through your organisation's identity provider as usual.
* Before you reach sensitive parts of Crisisworks, you complete a one-time SMS check sent to your mobile number on file.
* In the future, the SMS check will apply when you access sensitive features — most of your daily Crisisworks use does not require it.
* To prepare for SSO, please ensure that all users are using the  primary email & primary domain of your organisation ie not an Alias)

#### If your mobile number on file is wrong or out of date <a href="#if-your-mobile-number-on-file-is-wrong-or-out-of-date" id="if-your-mobile-number-on-file-is-wrong-or-out-of-date"></a>

* You will not receive the SMS code.
* The sign-in screen will display how to contact your site administrator.
* Your site administrator can update your number through the contact register, and you can try again immediately.

#### Adding an authenticator app for stronger protection <a href="#adding-an-authenticator-app-for-stronger-protection" id="adding-an-authenticator-app-for-stronger-protection"></a>

The existing MFA self-management screen lets you add a TOTP authenticator app alongside SMS. SMS remains the baseline for everyone; adding TOTP gives you a stronger second factor and an alternative if you do not have mobile reception when signing in.

#### Recovering if you lose your phone <a href="#recovering-if-you-lose-your-phone" id="recovering-if-you-lose-your-phone"></a>

Your site administrator can reset your MFA. They will confirm your identity using a documented proof-of-ID process before performing the reset. Datalink does not perform MFA recovery for end users directly — your site administrator is the support path.

### What is not changing <a href="#what-is-not-changing" id="what-is-not-changing"></a>

* Your username (email address) remains the same.
* Your password remains the same.
* Crisisworks' email-based password recovery is unchanged.
* The features and screens you use day-to-day are unchanged. The only difference is the sign-in step now includes an MFA check.

### Steps for Administrators <a href="#who-is-doing-what" id="who-is-doing-what"></a>

The most important preparation happens on the customer side. By 24 July 2026, each site's administrators should:

* **Clean the contact register.** Review every contact flagged as a user. Confirm the mobile phone number is current and correct. Remove the user flag from contacts who are no longer active. This is the single most important task — the mobile number on file is what makes MFA work at cutover.
* **Re-verify any stale numbers.** Numbers that have not been updated within the last 18 months will be flagged in the cleanse list. The system will require these users to re-verify their number when they next sign in. A report/filter will be provided to identify the user records that need to be cleaned/updated.
* **Onboard your administrators to MFA early.** Each site administrator should enrol their own MFA before 31 July via the existing self-management screen. This ensures administrators are not themselves locked out at cutover and are available to support their end users.
* **Communicate to your users.** Datalink will issue in-app and email communications, but a direct message from the site to its own users carries weight that vendor communications do not.


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.cw.crisisworks.com/security-and-support/releases/mandatory-mfa-july-2026.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.