Online security risks are constantly evolving, which means that we need to adapt in the way that we defend our systems and data.

We offer applications that can be accessed online (like Chorus Portal and the Assurance Website), or via a mobile device using an @Chorus.co.nz login. We use Microsoft Entra ID (previously Azure) to manage login and security.  

Currently, when users log in to a Chorus application with a @chorus.co.nz ID, their login credentials are stored. This makes it easier to log in without typing the credentials each time. Users can also choose to remember their second-factor authentication for 14 days. This means they don’t have to go through the extra security step every time they log in during that period.

However, this convenience comes with a risk. If someone loses their device or if it gets hacked, the prior cached authentication could be misused to access Chorus data and resources.

To reduce this security risk and align to security best practice, we are looking to:

• Enforce Multi-Factor Authentication. 
• Solicit authentication daily, on session initiation, or first use of application.
• Implement stronger and more consistent rules for how long a login session can remain active without re-authentication.

This change means users of Chorus applications using the @chorus.co.nz login will need to enter their Chorus password and Multi Factor authentication at least once per day and potentially more on occasions if they reopen an application.

Please share this message with your operational staff and ensure that any automation that you have built is ready.

Please regard this communication as formal notice of the change, which is intended to take effect on 22 October 2024.

Contact

If you have any questions, then please reach out to your friendly Chorus account team.