Multi-factor Authentication (MFA) FAQ

Environment: User looking for answers for common questions regarding MFA (Multi-Factor Authentication)

Purpose: Guides users through the uses, back ground and reasoning behind MFA and answers common questions that are asked

What is Multi-factor Authentication (MFA)?

Multi-factor Authentication helps validate who you are by adding a second step sign in process.

  • Something you know (your StFX password)
  • Something you have (a time based pass code or notification from your mobile device or hardware token)

This creates a layered defense, preventing further unauthorized access from your StFX account if your password is compromised.

 

How does Multi-factor Authentication help protect my data and StFX?

Multi-factor Authentication makes it more difficult for someone else to sign into your Microsoft (Office) 365 account or access StFX systems on VPN, even if they have access to your password. When someone attempts to sign in from a device or location, you will be required to verify the sign in attempt via your preferred verification method. An intruder would need to know your password and have access your verification device to sign in.

When will I need to use Multi-factor Authentication

StFX is implementing Multi-factor Authentication on multiple systems,

  • Microsoft 365 MFA
  • FortiClient VPN (VPN MFA)
  • Mylabapps
  • Drupal Website Editing

 

Microsoft 365 MFA

StFX accounts will be prompted for MFA for off campus access only.  Verification is not required when connected to the campus network, verification is only required when accessing Office 365 from mobile and external networks.   StFX accounts will be prompted every 15 days on trusted devices and each time you access an Microsoft 365 service (off campus) on different device. Microsoft 365 MFA prompts will occurs when accessing the following services off campus;

  • StFX email (Mail clients & Microsoft Outlook online access)
  • Microsoft Office applications, OneDrive, Teams, OneNote, and other Microsoft (Office) 365 add-ins. 
  • When Accessing any Stfx Services that leverage the mircrosoft login
    • TeamDyanmix - Viewing secure knowledge base articles and submitting/viewing tickets at services@stfx.ca
    • Qualtrics

MFA is only required during authentication, simply opening and closing apps does not require MFA.  

You may be asked to re-authenticate and require MFA when:

  • You sign into a new device or application 

  • You delete passwords off your device (Win: Credential Manager, Mac: Keychain)  

  • You clear your browser cache 

  • You delete and recreate a new email profile 

  • You change your password 

  • An admin changes your password 

  • An admin enforces additional security policies 

 

VPN MFA

Users of FortiClient VPN will be prompted each time they login to the VPN, on or off campus.

  • On or off Campus access to Foritnet VPN for Banner Admin Pages
  • Off campus access of Fortinet VPN for
    • Mapping Network drives
    • Accessing Finance Smart Filter Reports
    • StFX Printers (off campus only)


Is it mandatory to use MFA?

Yes, eventually all StFX accounts will be required to use Multi-factor Authentication for Microsoft 365 and VPN, and additional services will be added in the future.  MFA is a foundational cybersecurity practice in use for employees across industries and public sector institutions.  

You likely already use MFA for other personal accounts without realizing it like:

  • Using your bank card + a PIN to withdraw money from a bank machine
  • Entering a password + a code sent to your phone to access an online account

 

What account verification methods are available?

Because we are rolling out MFA on 2 systems the verification method for each do vary.  We understand that some employees do not have mobile phones, and so we are offering hardware tokens to those individuals upon request.

Microsoft 365 MFA

Microsoft or FortiToken Authenticator Apps

  • Authenticator applications downloaded on your mobile device.  
  • Authenticator applications do not require wifi or data. 

Mobile Device SMS (Text Message)

  •  A verification code is sent to your mobile device to be transferred into the system you are logging into
  • This option does require data or wifi

Mobile Device Phone Call

  • Phone call places an automated voice call to the phone number you provide. Answer the call and press the pound key (#) on the phone keypad to authenticate.
  • This option does require an active phone number (SIM)
  • StFX office phone numbers should not be used as they are not accessible off campus

Hardware Token

  • StFX employees without a mobile device will be provided with a physical key chain like device which provides a verification code to validate your identity.  
  • If you do not have mobile device, a hardware token will be the method for verification. 
  • An option when traveling and will not taking a mobile device.
  • Hardware token users are recommended to set up phone method as a backup when ever possible

It is strongly recommended that you set up TWO methods of authentication for O365

 

VPN MFA

FortiToken Authenticator App 

  • FortiToken Authenticator application is the only software-based authenticator option for VPN MFA.  It can be downloaded on your mobile device.  
  • Authenticator applications do not require wifi or data. 

Hardware Token

  • StFX employees without a mobile device will be provided with a physical key chain like device which provides a verification code to validate your identity.  
  • If you do not have mobile device, a hardware token will be the method for verification. 
  • An option when traveling and will not taking a mobile device.

External emails are not a secure method for verification therefore can not be used as method for MFA.

How do I choose what type of authentication method is right for me?

Having trouble deciding which authentication methods are right for you?  Whether your cell phone is never more than an arms reach away, or you don't use one at all, stay close to home or a world wide traveller there are Multi-Factor solutions for you.   Further details on the available authentication methods are explained in the knowledge base below.

Multi-Factor Authentication Method Explanations

 

Can I use personal phones for MFA?

If a personal cell phone is something that you carry with you through out your work day, you may find it more convenient to use it for MFA rather than having to add a hardware token to the items you always have on you.

 

What the mobile device requirements?

To use MFA authenticator applications ensure your mobile device is running, IOS 11.0 or higher, Android 6.0 or higher, Windows Phone 8, 8.1 Windows 10 & Windows universal platform.

 

I already use and authenticator app can I continue to use it?

Microsoft 365 MFA can be used with most authenticator applications. You can continue to use your preferred authenticator app, keeping in mind that IT Services will only be supporting the recommended applications.  If you are a VPN user you will need to use the FortiToken Authenticator. 

 

I login with the same device every day – do I still need MFA?

Yes, however for Microsoft 365 MFA devices can be remembered/trusted for 15 days, minimizing the frequency in which MFA verification is required on those devices.   For VPN MFA you will need to use MFA every time you connect.

 

What happens if my mobile device is damaged,wiped or replaced

Use your backup method if possible. If your backup also isn’t available, contact the IT Service Desk.

 

I'm going to be traveling, how will this work for me?

If you do not use data or switch out your sim card when traveling, setting up an authenticator application prior to travelling will allow you to authentication with out accessing your data or text messages.  If you do not plan to take your mobile device, getting setup for a hardware token while away may be your preferred option.

 

Will my applications work with MFA?

The list of supported applications is growing, however older of versions of Microsoft Office and non-Microsoft applications for Microsoft 365, such a mail clients are not MFA-compliant.   Applications that are not supported, will require a password. 

 

I received a notification to approve a sign in when I wasn’t trying to log in to a service. What should I do?

Do not approve the sign-in.   Someone might be trying to log in to your account as you.    NOTE: If a service stops working for you after you deny the sign-in attempt, it was likely you.

You can review your Microsoft 365 sign-ins at any time in your account portal (https://myaccount.microsoft.com) - click ‘My sign-ins’ in the menu. These details can help you figure out if the device attempting to log in is yours.

Supported MFA Programs

More on App Passwords

Details

Article ID: 89253
Created
Mon 12/2/19 3:09 PM
Modified
Tue 7/6/21 11:06 PM