GSA has announced GSA MFA changes that retire SMS and voice call multi-factor authentication for FAS ID systems. This change affects access to critical GSA platforms contractors rely on, including eOffer, eMod, and MASS mod processes. For contractors who depend on FAS ID to sign in, this shift requires action to maintain uninterrupted access. This update requires action from users to avoid disruptions to GSA system access.
What is Changing in GSA Authentication?
SMS-based MFA and voice call MFA are being retired for FAS ID. In practical terms, users will no longer receive one-time codes via text messages or automated voice calls as a second factor when logging in. This change applies specifically to FAS ID authentication, the doorway to several GSA systems your organization uses. The goal is to move toward more secure, phishing-resistant methods that reduce the risk of credential compromise. Key takeaway: the traditional text- or call-delivered codes are out, replaced by more robust options for FAS ID authentication.
Why is GSA making this Change?
The shift is driven by a practical security need. SMS and voice-based codes are more vulnerable to interception, SIM swap scams, and phishing attempts, and they can fail when mobile signals are weak. By aligning with stronger authentication standards, GSA aims to reduce the likelihood of unauthorized access while preserving reliable system availability. In short, the change lowers risk without compromising day-to-day access for approved users. Key takeaway: stronger, phishing-resistant methods mean fewer chances of credential-related disruptions.
What Authentication Methods Will Be Available Going Forward?
Users are encouraged to use one or more of the following:
- Okta Verify
- Google Authenticator
- Email authentication
What Contractors Must Do to Remain Compliant?
Actively update your FAS ID settings and register a supported MFA method as soon as possible. This includes selecting an authenticator app or registering a hardware security key, and ensuring backup options are in place. Coordinate enrollment across affected users in your organization, verify that all critical accounts, such as those used for eOffer, eMod, and SAM access, are covered, and confirm that devices and keys are available for sign-in.
Also Read: Understanding GSA MAS Refreshes and What Contractors Need to Know
What Happens if No Action is Taken?
Users will not be permanently locked out. If a user attempts to log in after February 1, 2026, and only SMS/voice is configured, they will be prompted to set up a new authentication method at that time.
Acting now on GSA MFA changes is essential to protect your workflow and keep critical systems accessible. Proactively updating authentication methods reduces risk and minimizes downtime, ensuring you can continue to complete eOffer, eMod, and SAM-related tasks without interruption. If you’re evaluating GSA MFA changes for your organization, our team can help you assess options and build a pragmatic roadmap.
Explore how our GSA MAS Schedule services support outcomes like uninterrupted system access, or get in touch to discuss your scenario with iQuasar, the trusted partner for GSA operational and compliance matters.
