![SDL - 2025 New Logo.png]](https://help.getsdl.com/hs-fs/hubfs/SDL%20-%202025%20New%20Logo.png?height=40&name=SDL%20-%202025%20New%20Logo.png){kind=small}
Multi-Factor Authentication (MFA): What Local Governments Need to Know
What MFA is, why it's coming to SDL Desktop, and what it means for your team.
Multi-factor authentication, or MFA, is being added to SDL Desktop Hosted. All users are being asked to set it up, and over time it will become a required step at sign-in. This article walks through what MFA is, why it matters for local governments, the regulations and standards already pushing it forward, what your team can do now to get ahead of the change, and where to find the step-by-step setup guide.
In this article:
What is MFA?
Multi-factor authentication is a way of confirming your identity when signing in that uses two pieces of evidence instead of one:
- Something you know - your password.
- Something you have - typically a six-digit code from an authenticator app on your phone or desktop, which refreshes every 30 seconds.
If your password is ever stolen, leaked in a data breach, or guessed by an attacker, your account is still protected because they don't have your authenticator.
You almost certainly already use MFA in your personal life without thinking about it: your bank texting you a code, an authenticator prompt on your retirement account, or a tap-to-confirm on your phone. The same idea now applies to your SDL Desktop sign-in.
Why MFA matters
Local governments hold sensitive resident data, process payments, manage public records, and run essential services. That makes municipalities high-value targets, and the threat has sharpened considerably over the past several years. State and local governments are now among the most frequently hit sectors for ransomware, and most attacks begin the same way: a single compromised user account.
The cost of a breach extends well beyond the immediate incident:
- Resident trust. A breach involving personally identifiable information can take years to recover from in the eyes of the public.
- Service disruption. When systems are encrypted by ransomware, services like permitting, licensing, payments, and public safety can be offline for weeks or months.
- Financial damage. Recovery from a serious ransomware attack on a municipality often runs into the millions of dollars, on top of any ransom demand.
MFA is the single most effective defense against the most common attack pattern. According to Microsoft security research, it blocks more than 99% of automated account compromise attempts. By requiring something an attacker can't easily steal, like your phone or your authenticator, MFA holds the line even when a password has been leaked, phished, or guessed.
Regulations and guidelines
Beyond the threat itself, MFA has become a baseline expectation across the regulations, security frameworks, and vendor agreements that affect local governments. Depending on what your municipality does and the data you handle, several of these may already apply to you:
- HIPAA. Municipalities with health departments, vital records offices, or any other operation that handles protected health information fall under HIPAA. The Security Rule requires safeguards for electronic protected health information, and MFA is the standard implementation expected by auditors.
- CJIS. Any system that accesses Criminal Justice Information Services data, including police records, court information, and prosecutorial systems, is governed by the FBI's CJIS Security Policy. CJIS explicitly requires multi-factor authentication for access to that data.
- NIST. The National Institute of Standards and Technology publishes the cybersecurity frameworks most modern security programs are built around, including NIST SP 800-171 and SP 800-53. MFA is a baseline control across all of them.
- Cyber insurance. Cyber insurance carriers now treat MFA as a baseline requirement for municipal policyholders. Coverage can be denied or non-renewed for organizations that can't demonstrate it, and claims have been denied when MFA wasn't enforced consistently. Whether this applies to your municipality depends on your specific policy.
- Vendor security standards. Most modern software platforms used by local governments maintain SOC 2 compliance, a security standard that independent auditors verify annually. SOC 2 requires strong access controls, and MFA is increasingly how vendors meet that bar across customer accounts.
If you're not sure which of these apply to your municipality, your IT director, your cyber insurance broker, or your software vendors can help you sort out the specifics.
Requirements coming to SDL Desktop
We know how important security is for the municipalities we serve, and we're committed to adapting as the threat landscape evolves. To meet that moment, we're raising our standards across SDL Desktop Hosted with multiple new protections. Adding MFA across user accounts is the most direct of those changes.
MFA is being rolled out to every SDL Desktop user. Setting it up now keeps you ahead of the change. The key points:
- MFA is becoming the new standard for sign-in. Every SDL Desktop user is being asked to set it up, including permanent staff, seasonal users, contractors, and anyone currently sharing a login.
- Setup takes about three minutes. If you already use Microsoft Authenticator, Google Authenticator, it'll take less than one minute.
- Get set up early to avoid disruption. Completing setup now means no rush at the sign-in screen later, and no chance of being caught at a bad moment once enforcement is fully in place.
Ready to set it up? The step-by-step guide is on the SDL Help Center: How to Set Up and Use Multi-Factor Authentication for SDL Desktop. Setup takes about three minutes.
If your team shares logins
Shared logins are common in municipal work, especially in small municipalities: a front-desk PC several clerks use, seasonal staff rotating through one login, or a shared field-inspection account. With MFA, the second factor is tied to one specific person, so an account can't be passed between users the way it can today. This is the change most likely to cause friction with daily workflows, and it's worth getting ahead of.
What this means in practice:
- Each person who signs in needs their own SDL Desktop account. This is true even for shared workstations. Multiple people can still take turns at the same PC; they'll just sign in and out under their own accounts.
- Seasonal and rotating staff need their own accounts too. If three seasonal hires currently share one login, each will need their own going forward.
- Now is the time to take inventory. If your municipality has been sharing logins anywhere, the rollout is the natural moment to clean that up before MFA reaches those accounts.
Email support@getsdl.com with the list of people who need individual accounts and we'll help you get them set up.
Addressing common concerns
It's natural to wonder how this is going to affect daily work. The good news is that the most common concerns turn out to be smaller in practice than they sound on paper. Here are the few we hear most often.
"Will the authenticator app access my data?"
No. An authenticator app does exactly one thing: generate a six-digit code every 30 seconds. It doesn't access your texts, contacts, photos, location, or any other data on your phone. It doesn't share information with your employer or with SDL. It doesn't track you or transmit data in the background.
Using your phone for MFA works exactly like the MFA prompts you already use for your bank, your email, and your retirement account.
"Will MFA slow me down every day?"
Not really. Once set up, MFA adds about five to ten seconds to your sign-in. You won't be retyping codes all day, and most people get prompted once per device per session rather than on every action. After a few weeks the rhythm becomes automatic and stops registering as a step.
"What if I get locked out?"
Setting up MFA generates a set of one-time backup codes that you can print or save somewhere safe. If you lose your phone, get a new device, or hit any other snag, you have options:
- Use one of your backup codes to sign in.
- Contact support@getsdl.com and we can disable MFA on your account temporarily so you can re-enroll a new device.
Nobody gets stranded.
What it means for your team
A few practical things make a rollout go smoothly for the team as a whole:
- Give people a heads-up. A short note from leadership covering what's changing, when, and why prevents most day-of confusion. Frame it as a security upgrade, not an IT mandate.
- Set aside ten or fifteen minutes during a quiet stretch (with a phone or desktop authenticator handy) so no one is rushed at the sign-in screen.
- Sort the edge cases out ahead of time. Anyone without a personal smartphone, anyone who works in the field without reliable signal, or anyone bound by strict device policies should contact support@getsdl.com before they're stuck.
Once it's behind you, the daily experience is the same as MFA on any personal account: enter your password, glance at your authenticator, type six digits, you're in. The friction disappears into routine within a few weeks.
The bottom line
SDL Desktop holds work that matters to your residents: permits, inspections, records, payments. MFA is the security layer that holds when a password fails, and it's now part of how you sign in.
- Set up MFA at your earliest convenience. You don't need to wait for your next sign-in attempt.
- Share this with your team. Anyone in your municipality who signs into SDL Desktop will need to set MFA up too.
- Reach out if you hit a snag. Email support@getsdl.com for help with setup, desktop alternatives, or any other questions.
Related resources
- Setup guide: How to Set Up and Use Multi-Factor Authentication for SDL Desktop — the complete step-by-step instructions for enabling MFA on your SDL Desktop account, including pairing your authenticator and signing in afterward.
- Parallels client: How to Install and Update the Parallels Client for SDL Desktop — for users connecting to SDL Desktop through Parallels. Covers installing the current version and what to do if your sign-in keeps failing.