HK Financial Services is now part of Blucora. Please visit Blucora for more details.
  • Blucora HK-Logo
  • HK Financial ServicesHKFS-Logo
  • HKFS RetirementHKRS-Logo
  • HK Alliance HKA-Logo

Plan Sponsor Multi-Factor Authorization -FAQs



When a participant is presented with the options to receive a code, is he/she presented with all phone numbers and email addresses on file and given the choice of which to use for the text/email?

Yes, all phone numbers and email addresses on file are available to be selected. No new phone numbers or email addresses may be added. Note that if the site level web option to disallow a one-time pin (OTP) to be sent to email addresses has been turned on, then only phone numbers will be available for selection.

What happens on the participant login if there is no email address or phone number on file?

As a condition of login, a device must be associated with the account to receive an OTP. Users with no email or phone numbers capable of receiving OTPs will see a message directing them to contact their plan administrator to set up missing information.

What happens if the phone number on file is not text-enabled (e.g., work number or landline) and/or the email address on file is no longer accessible (e.g., an email address at a former employer)? What happens if we have contact information data for someone, but none of it can be used for OTP authentication.

If the OTP default was set to a device which is no longer available (e.g., old phone number) but has not been changed in the recordkeeping system, the user’s OTP device will need to be reset before they will be able to log in. When a phone number or email is changed in the recordkeeping system, if it was the OTP default device, the OTP default will also be reset so the participant will automatically have to select a device at the time of the next login.

Will the participant be prompted for the OTP at each login, or only when logging in for the first time from an unknown device?

If the user selects “remember this device” when logging in, they will not be prompted for OTP during login from that same device for logins within the next specified number of days.

Will an OTP code be required when requesting a distribution? Would the code be entered upon login and then a new code needed to be entered when submitting the request? Does this also apply to loans or any other transactions?

All disbursements (loans, distributions, withdrawals) made by the participant will require OTP when the participant clicks the submit button for the request. This is true even if the participant already entered an OTP during login. Other sensitive activities include personal information changes (including password and User ID) and beneficiary changes. These non-disbursement type sensitive activities would require OTP if the participant bypassed OTP during login (e.g., because of the use of a recognized device).

Is there any functionality that would allow for a message to remind people to add personal information if it is missing when they log in?

There is an option to include a message to remind participants to review and update phone numbers and emails.

What happens when an email address, that was previously verified by the participant, is later changed in Census?

An email address that is changed outside of the Participant Web will be reset so it no longer displays as verified.

What happens when an email address or phone number that was selected as the default OTP device is changed outside of the participant web, such as through Census?

The change of an email address or phone number that was previously an OTP default device will result in the OTP default being reset. The next time the participant logs in, they will need to select from known devices to receive the OTP. This selection will become the new default OTP device.

If the participant only has one email address and no phone number, will they still be prompted to select a device on login?

If there is only one possible method of sending an OTP, such as a single email address, that device will become the default OTP device, and the OTP will automatically be sent to that device.

Why is there a timer on the OTP entry form?

In some cases, it may take up to a minute to receive an OTP. The timer prevents the request of another OTP until sufficient time has elapsed to ensure the user would have received the first OTP. This is important because the first OTP will no longer be valid after the second OTP is sent.

For how long is the OTP valid?

The OTP is only valid for five (5) minutes. If the user does not enter the OTP within that time frame, they will need to request a new OTP.

What happens if a participant has terminated employment and has not updated their account for MFA?

Terminated participants will need to contact the plan administrator for verifying their account.