What is Multi-Factor Authentication (MFA)?
MFA is a technology designed to enhance the security of the identity verification process.
Your identity information is your user name, which is traditionally verified by your password (single factor of authentication).
There are three potential factors that can be used for multi-factor authentication:
- Something you know (like a password)
- Something you have (like a mobile device, or a hardware token)
- Something you are (like your facial pattern, or your fingerprint)
To complete a successful MFA login, two (or in some cases all three) factors must be use to verify your identity.
UNBC requires a second factor of the type "something you have", specifically an application on your mobile device or a hardware token.
Why has UNBC enabled MFA?
UNBC has enabled MFA to enhance the level of security and integrity of its digital computer systems.
This technology is essential to help reduce fraud and computer based attacks against UNBC computer systems.
Do other Universities use MFA to authenticate staff, faculty & students?
Yes, MFA is being used by various institutions and schools to better protect their data and accounts.
Am I required to use MFA?
Yes, this security feature is required for all staff, faculty, students, and alumni. If you do not register by the deadline, you will lose access to email and any other systems protected by MFA. If that happens, please contact the IT Service Desk for assistance.
What applications/systems will require MFA?
The full list of applications/systems protected by MFA is large and continually growing.
The major apps/systems which require MFA include all Microsoft 365 services (your UNBC email, Microsoft Teams, etc), https://moodle.unbc.ca, Zoom, LinkedIn Learning, Foxit, and TeamDynamix (https://support.unbc.ca).
How often will I be prompted for MFA during sign-in?
The frequency of MFA prompts will vary based on the application/system, and may change over time. It is expected to be approximately once a month for most systems, though some higher-value/risk systems may more frequent (weekly or daily) MFA verification.
You will also be prompted for MFA anytime that Microsoft detects a possible risk to your account security during the sign-in process. If you are being prompted for MFA on every single sign-in, please contact ITS so that we can review your account and resolve the detected risk.
Some people have reported that they are prompted for account credentials & MFA on every application sign-in while using the Google Chrome browser, but not while using other browsers (Microsoft Edge, Mozilla Firefox, etc). If that is the case for you, please try installing the Windows Accounts Chrome extension. This extension comes from Microsoft, and helps the Chrome browser remember your identity for single sign-on.
If you receive an unexpected MFA prompt in the Microsoft Authenticator application (it happens randomly, not during a sign-in event), DO NOT APPROVE IT! It is very likely indicative of someone else attempting to access your account. Decline the prompt, and rest secure in the knowledge that MFA did its job to keep your account (and UNBC's systems) secure.
Is it OK to use a personal device to register as a verification option for my UNBC account?
Yes, it is OK to use your personal mobile device to register as a verification option for your UNBC account.
Can UNBC wipe my device if I use it as a verification option for my UNBC account?
No, UNBC cannot perform a remote device wipe if you use the Microsoft Authenticator App as your MFA verification application. UNBC will not gain any access to the contents of, or control over, your mobile device.
How long does it take to enroll/register a device for MFA?
Only a few minutes!
How do I register a Mobile Device Authentication app?
Please refer to these instructions for the registration of an initial Authentication app: https://unbc.teamdynamix.com/TDClient/87/Portal/KB/ArticleDet?ID=2181
Can I register more than one Mobile device for MFA verification?
Yes, you can register more than one mobile device for MFA authentication (eg. an iPad and an iPhone, or an Android phone and tablet).
Please refer to these instructions for the registration of additional devices beyond the first: https://unbc.teamdynamix.com/TDClient/87/Portal/KB/ArticleDet?ID=3568
What should I do if I upgrade my Mobile Device and the Microsoft Authenticator app is installed?
Your Mobile Device has to be registered in order for the Multi-Factor Authentication to work with your Mobile Device. If you go and purchase a new phone, download the Microsoft Authenticator app and add your account, it wont work as it needs to be registered.
Please contact the IT Service Desk when you purchase a new mobile device so that we can remove and add your new device.
Will ITS be supplying Mobile Devices?
No, ITS is not in the position to supply mobile devices. ITS is able to provide MFA Hardware Tokens to employees. See the answer below.
I don't want to use (or don't have) a Mobile Device. What can I do?
Employees can request an MFA Hardware Token by submitting the MFA Hardware Token Request Form: https://unbc.teamdynamix.com/TDClient/87/Portal/Requests/ServiceDet?ID=1850
Students may choose to purchase an MFA Hardware Token at the UNBC Bookstore. After purchasing a token you must submit the MFA Hardware Token Activation Form, to have the token associated with your account: https://unbc.teamdynamix.com/TDClient/87/Portal/Requests/ServiceDet?ID=2278
Does MFA work with EduRoam?
UNBC ITS needs to engage the partners that we work with to provide the EduRoam service before any changes will be made to the existing configuration.
Does MFA work with *nix?
Yes, MFA works with *nix.
MFA prompts will happen at the time of application access, for example Outlook on the Web. As long as your browser or application is up-to-date and supports modern sessions/modern authentication, you will be able to use MFA.
Does MFA work with Apple (mac)?
Yes, MFA will work with Apple products using the following Apple operating systems: iOS, MacOS, and iPadOS
MFA prompts will happen at the time of application access, for example email on the web. As long as your browser or application is up-to-date and supports modern sessions/modern authentication, you will be able to use MFA.
Why is SMS is not an option for verification?
At the recommendation of the IT Security Office, UNBC's MFA solution will not allow SMS as a verification method.
There are conditions by which threat actors can received one-time SMS codes on your behalf, without your knowledge.
Industry best practice and guidance encourages the use of mobile device applications as the best possible solution for MFA verification.
Will MFA work out of cell coverage (eg. while on a plane)?
MFA is used to verify your identity when signing into applications. If you have WIFI on your flight, you may be prompted for an MFA sign in; at that time you would need to use your mobile device or hardware token to verify your identity. The push authentication prompt in Microsoft Authenticator will not appear when the device is in airplane mode, but the six-digit code for your account (generated in the app every 60 seconds) can be used instead.
Can I use Google Authenticator (or other apps) to verify my identity?
Google Authenticator (and other non-Microsoft authenticator apps) can be used to verify your identity. You will be able to register that application during the MFA registration process. When using an authenticator app other than Microsoft Authenticator, you will lose the benefit of push authentication prompts, and will instead need to manually enter the six-digit code from the authenticator app when prompted for MFA verification.
UNBC ITS is not able to provide support for the use of authentication apps other than Microsoft Authenticator.
What is a Hardware Token?
A hardware token is a small device that can fit on your key chain or key ring, which generates a new 6-digit PIN every 60 seconds.
UNBC has found and tested DeepNet Security's SafeID hardware tokens. They have been found to be robust and economically efficient.
Above is an example of the hardware token that you will receive. Its overall dimension's are 44mm x 19mm x 6.5mm. It has a button on the back of the token to display the PIN.
There are other hardware tokens available for those needing accommodations for manual dexterity challenges, or visual acuity challenges. If you have those requirements, please note that on the MFA Hardware Token Request Form (https://unbc.teamdynamix.com/TDClient/87/Portal/Requests/ServiceDet?ID=1850)
Can I have more than one Hardware Token?
No. Only one hardware token can be associated with an account at a time.
I live out of town/province/country. How can I get a Hardware Token?
You can request that your token be mailed to you (registered mail, will require a signature)
When you fill out the MFA Hardware Token Request Form (see link above), you will see a checkbox to select which will start the process of verifying your mailing address and getting the token shipped to you.
Note: ITS will only ship to mailing addresses that are on file in the Banner system, and will require a signature, which may require a visit to the post office to pickup your token.
What if I lose/forget my Hardware Token?
If you forgot your token (eg. you left it at home and you're at work), you can contact the Service Desk. You will be asked some identify verification questions, after which your account will be temporarily set to bypass the MFA requirement during login.
If you lost your token, inform ITS immediately so that it can be decoupled from your account and we can issue you a new token. If the token is later found please return it to ITS, as it can be safely re-used on a different account.
Can I use my FIDO2 OAUTH Key?
Yes, you can use a FIDO2 OAUTH key at UNBC. Refer to these registration instructions: https://unbc.teamdynamix.com/TDClient/87/Portal/KB/ArticleDet?ID=3386
Please note that ITS does not provide FIDO2 keys, and does not provide support for them beyond allowing their use.
What information can UNBC see if I register a personal mobile device?
UNBC ITS will be able to see the following information:
- Device Model
- Device Manufacturer
- Operating System and version
- Device Owner
- Device Name
- Device Serial Number
- IMEI
UNBC ITS will NOT be able to see the following information:
- Calling and web browsing history
- email and text messages
- contacts
- calendar
- passwords
- pictures, including what in the photos app or camera roll
- files
What recommendations does ITS have for device use?
ITS recommends the Microsoft Authenticator app; it is available for all major mobile devices, it is convenient, and allows for quick one-touch verification.
Example of Authenticating with the Microsoft Authenticator App
- You login to your email account on your computer
- You may get a prompt for “Approve sign in Request”
- Your mobile device will show a notification: “Approve sign in”
- Tap the Approve option on mobile device notification
- The email application on your computer will complete the log in process, and you can continue with using your email.
Number Matching for Multi-Factor Authentication
There are two types of number matching with Multi-Factor Authentication.
- Type the number from the sign in screen
- Select the number from the sign in screen
Typing the Number
- When you are prompted for a Multi-Factor Authentication (MFA) challenge, you will be presented with a number. You will need to type that number into the Microsoft Authenticator app to complete the authentication process.
Selecting the Number
- When you are prompted for a Multi-Factor Authentication (MFA) challenge, you will be presented with a number. You will need to select the matching number in the Microsoft Authenticator app to complete the approval process.
