Overview

To maintain a secure and persistent connection, certain utility providers require Multi-Factor Authentication (MFA) to authorize data access. The Token Storage solution securely stores a session token that allows Arcadia to sync data for a specific duration. This guide outlines how to submit these tokens during initial enrollment and how to refresh them when they expire.

Key Benefits

1. Extended Connectivity: Maintain data access for months (depending on the utility) without having to resubmit mfa tokens for each data access attempt.
2. Proactive Status Tracking: Easily identify which credentials require a new session token via the Plug Dashboard.
3. Secure User Delegation: Use Connect Links to let end-users provide tokens without sharing their primary utility passwords.
4. Seamless Re-authentication: A streamlined UI that guides users directly to the verification method selection.

How It Works

When a user authenticates via MFA, the utility provider issues a session token. Arcadia stores this token to maintain sustained access to the credential. Because these tokens have a finite lifespan—ranging from a few weeks to several months—they eventually expire. When a token expires, the credential moves into a MULTI_FACTOR_AUTHENTICATION_REFRESH_REQUIRED state, signaling that a new MFA handshake is needed to generate a fresh token.

New Credential Submission Flow

1. Submit credentials : Before managing credentials in the dashboard, you must first submit them to Arcadia:
   1. Submission: Submit your utility credentials via the Arcadia Connect UI or the plug dashboard.
   2. Select Verification Method: You’ll see a "Connecting with your utility" screen and then be asked to choose your preferred verification method (SMS, Call, or Email).
2. Submit the MFA Token : Enter the code you receive via your chosen method and click "Submit."
3. Success Confirmation: If the code is correct, you'll receive a confirmation that authentication was successful.

Re-authenticating credential

When a session token expires, you must refresh the authentication to restore the data flow.

1. Identifying credentials requiring token refresh : Credentials requiring token refresh would show up in MULTI_FACTOR_AUTHENTICATION_REFRESH_REQUIRED status detail. Filter to this status detail on the credentials page to identify the impacted credentials
2. On the Credential Detail page, click the Retry MFA Verification to start the MFA authentication flow
3. The Connect flow will open up. You will be shown a “Connecting with your utility” loading screen and redirected to the “Select your preferred verification method” page. Here user can select the method to receive the token & then submit the token as done in the new credential submission flow.

Requesting token refresh from your End-Users

If the credentials are owned by an end-user (where you do not personally own the utility login), use the Connect Link method to allow the end-user to securely authorize the MFA opt-out.

1. Identify Credentials Needing Attention

   1. Log in to your Plug Dashboard and select Manage your credentials.
   2. Filter the list by status detail: MULTI_FACTOR_AUTHENTICATION_REFRESH_REQUIRED.
   3. Select an impacted credential to view the details page.

2. Generate and share the update Link

   1. As credential is owned by an end-user, they must perform the authentication themselves.
   2. In the credential details view, locate and click Generate update link. A temporary Connect link will be generated that is valid for 72 hours.
   3. Copy and send this link to your end-user via your preferred communication channel (email, SMS, etc.).

3. End-User Verification & Consent

   Once the end-user opens the link, they will select their preferred MFA method (Text, Email, etc.) and input the token received from the utility.