The Federal Housing Administration announced in FHA Info #2025-23 that it has implemented a new phishing-resistant multi-factor authentication for its FHA Connection (FHAC) system.
Users must implement the phishing-resistant MFA before July 28, 2025, to be able to continue accessing FHAC.
Why it matters: Phishing scams are cybercrimes which are intended to gain access to online accounts or install malware to damage or steal data from a computer or network.
- It can take many forms, like emails, text messages, phone calls and social media posts.
- These messages often contain links to bogus websites but are instead designed to steal your personal and/or business information.
This new phishing-resistant MFA security feature is part of FHA’s ongoing commitment to maintaining secure lender, borrower, and stakeholder data while advancing identity management and access control capabilities. This enhancement also helps ensure that login credentials are not shared or exposed to attacks.
It is recommended that users set up and begin using this enhanced security feature as soon as possible. Users who do not implement this new security feature by July 28 will not be able to access FHAC. This requirement does not impact users who connect to FHAC through the Business-to-Government interface.
FHAC users have two options for setting up the phishing-resistant MFA: 1) OKTA FastPass Installation (recommended), and 2) FIDO2 Installation. Details are provided in the instructions below. Installation assistance from your IT group may be required.
________________________________________
Instructions for Phishing-Resistant MFA OKTA FASTPASS and FID02 Installation
I – STEPS FOR OKTA FASTPASS INSTALLATION (Recommended):
1. Download OKTA Verify to your workstation. Several options are below:
o The installation routine for Windows can be found at: https://apps.hud.gov/pub/chums/OktaVerifySetup-5.1.3.0-4b0cd42.exe
o The installation routine for MAC OS can be found in the MAC App Store.
o The installation routine for iOS can be found in the Apple App Store.
o The installation routine for Android can be found in Google Play.
2. Run the installer, select the checkbox to agree to the License terms and conditions and then click the Install button.
3. Once the installation is complete, click the Finish button.
4. From the Windows Start menu, open OKTA Verify.
5. Click Get Started.
6. Select Next at “How it works” screen.
7. In New Account, enter “production-icam-hud.okta.com” and choose Next.
8. Log into OKTA with your user ID, password, and code. Set OKTA Fast Pass as your default in the new OKTA Verify browser.
You are now set up with OKTA Fast Pass. Next, take the following steps:
1. Log into FHA Connection.
2. Sign in using OKTA FastPass.
3. OKTA Verify will ask you if you are trying to sign in.
4. Select “Yes, it’s me”.
5. You have now successfully entered FHA Connection using Phishing Resistant MFA (OKTA FastPass).
II – STEPS FOR FIDO2 AUTHENTICATION FACTOR INSTALLATION WITHIN THE OKTA PORTAL (Requires Windows Hello or MAC/Linux equivalent):
1. Go to the FHA Connection home page (https://entp.hud.gov/clas/index.cfm) and click OKTA Setup.
2. Log into OKTA using the same user ID/Password/Factor used when logging into FHA Connection.
3. Click on your name at the top left corner of the screen and then select “Settings” (located on right side of the screen).
4. Once in Settings select Set Up for “Security Key or Biometric Authenticator”.
5. Following Set Up selection you will be prompted to log into FHA Connection.
6. Once you log in, you will be prompted to enter your FIDO2 PIN. This will have been established when you set up FIDO2 on your workstation.
7. You have now successfully entered FHA Connection using Phishing Resistant MFA (FIDO2).
Please note you will need to allow FIDO2, an industry standard, to be turned on to your workstation. The Windows implementation of FIDO2 is Windows Hello. MAC and Linux also have implementations of FIDO2. If you choose FIDO2, your organization will be responsible for any configuration changes to your workstation to allow FIDO2.
