MFA: Multi Factor Authentication FAQ

FAQ

General

• What is multi-factor authentication (MFA)?
• Who needs to set up MFA?
• Can I register for more than one option?
• How is the information I register protected?
• What services are protected by MFA?
• Why am I being asked to download an app or provide my phone number?
• Is this really necessary, are other Universities doing this?

Using MFA

• How does MFA affect me while traveling?
• How does MFA change the login experience?
• How often will I be prompted for MFA?
• What does Stay signed in? option do?
• Why is my browser not remembering my login?

Mobile Devices and MFA

• Why can't I use SMS or a phone call as my MFA method?
• Do I need to use my cellular data or wifi connection for MFA?
• I got a new phone and need to transfer my MFA. What can I do?
• My mobile device was lost or stolen. What can I do?
• I don't have, or don't want to use, my mobile device for MFA. What can I do?

General

What is multi-factor authentication (MFA)?

By setting up multi-factor authentication (MFA), you add an extra layer of security to your sign-ins. Multi-factor refers to using two or more items to verify your identity when you sign in, typically:

• something you know (i.e., your UFV email and password) and
• something you have (e.g., a 6-digit time-based code or notification on your phone).

This creates a layered defense, preventing unauthorized access from your UFV account even if your password is compromised.

Who needs to set up MFA?

MFA is mandatory for all current UFV students and employees.

Can I register for more than one option?

Yes! We recommend having at least two options registered so that you have a backup in case your other method is inaccessible. For example, you can have both the authenticator app (on your phone) and a physical security key.

How is the information I register protected?

If you choose to register an email address or download an authenticator app, they are only used to confirm your identity; either before resetting your password, or as an additional trust mechanism when required.

We understand concerns about privacy, and MFA is designed to enhance privacy and security. Most of the UFV community will have already used MFA when interacting with other universities, banking institutions, healthcare, or other personal services. Similar to these other institutions, UFV community members will enroll in the methods that they decide will be used to validate their identity. This information remains protected and secure in our Canadian tenant.
 

What services are protected by MFA?

MFA protects sign-ins to most services accessed through a browser when you sign in using your UFV email address. Examples include Outlook/M365, Blackboard (myClass), and the Self-Service Links within myUFV. If you see this UFV-branded login screen, your login may be protected by MFA:

Why am I being asked to download an app?

As UFV moves to the cloud, for all its substantial benefits, we want to keep your information safe. The largest threat we face is password compromise, usually by hacking of third-party services, phishing, or weak passwords. Credential theft is easy and occurs frequently. By registering for MFA using an app, it can be used instead of, or in addition to, a password. We recommend using the Microsoft Authenticator app, but you can also set up another app of your choosing (e.g. Google Auth, Duo). Since the adoption of MFA in 2021, it has already blocked many fraudulent attempts to access UFV accounts.

By registering for MFA, you also unlock self-service password reset. Self-service password reset (SSPR) allows you to easily unlock your account and change your password. Regardless of if the password was forgotten, or must be reset due to a suspected compromise; you can unlock your account, change your password, and get access restored: anytime, anywhere.

If you do not have a mobile device to download the app or do not wish to use your mobile device, please refer to the article on FIDO 2 security keys.

Is this really necessary, are other Universities doing this?

Reports from higher education institutions within BC, and across Canada, show that MFA is becoming universally adopted. Outside higher education, the banking system and financial institutions have completely adopted this to protect their customers' savings and investments. Health systems in Canada are also starting to adopt this for patient privacy, as the United States has already done.

MFA has already successfully stopped fraudulent attempts to access UFV accounts.
 

Using MFA

How does MFA affect me while traveling?

If you plan to be traveling, especially overseas, you may encounter MFA when logging into UFV services in order to verify that it's really you. We recommend setting up the Authenticator App option as it does not require a Canadian phone number or data plan, and works without wifi connection. If you are going to be without your phone, ensure you have a different access method (such as a security key or temporary access pass). If you have concerns about your access while traveling, please contact the IT Service Desk.

How does MFA change the login experience?

When you sign in to a UFV service, you will use your email address and password as usual. Depending on the type of login, you may be asked to pass the MFA prompt by using the method(s) you chose to register - this could mean retrieving a 6-digit code, approving a notification on your phone, or using a security key.

How often will I be prompted for MFA?

You should be prompted for MFA no more than once a day. MFA can be triggered if your login comes from off-campus, or if there is something unusual about the sign-in (e.g., a new location or a new device).

What does the 'Stay signed in?' option do?

This option will keep your login session open for a longer period (up to 14 days), even when you close your browser. Next time you would be required to log in, you don't need to enter your password or pass MFA again. Only use this option on a personal device; never on a shared device.

Why is my browser not remembering my login?

The following are some common reasons as to why a browser may fail to remember your MFA login, even when you select 'Stay signed in':

• Your browsing history and/or cookies have been cleared;
• You have enabled the browser to clear cookies and site data when closed;
• You are using incognito mode or private mode on your browser;
• You are using a different browser or device than the ones you previously authenticated to remember your MFA sign-in

Mobile Devices and MFA

Why can't I use SMS or a phone call as my MFA method?

To ensure a higher level of security, UFV does not to offer SMS text messages and phone calls as a second factor. If you cannot or do not wish to install an app, you can instead use a security key.

Since MFA was implemented at UFV, attackers have been able to develop new methods to take advantage of SMS and phone call verification. Techniques like SIM swapping or interception can give attackers access to your SMS messages, including the MFA codes. Additionally, SMS and phone calls are more prone to the risks of social engineering - both the customer (you) and the provider (your phone's customer support lines) can be targeted by social engineering scams and convinced to give the attacker access to your phone channels. Authenticator apps and security keys are harder to phish and much more immune to these vulnerabilities. You can read more information about the limits of SMS authentication with a real-world example.
 

Do I need to use my cellular data or wifi connection for MFA?

No, we recommend using the Authenticator App offered by Microsoft. While you do need an Internet connection to set up the app, you do not need the Internet or a cellular data plan to use the codes generated by the app. Additionally, you can use a security key which does not require a cell phone. For more information, please refer to the article on security keys.

I got a new phone and need to transfer my MFA. What can I do?

If you turned on Cloud Backup on your old device, you can use your old backup to recover your account credentials on your new iOS or Android device. For more info, see the Backup and Recover account credentials with Authenticator article (from Microsoft). If you do not have access to your old device or did not set up Cloud Backup, please contact the IT Service Desk to have your MFA methods reset.

My mobile device was lost, stolen, or broken. What can I do?

Please contact the IT Service Desk immediately. We will generate a temporary access pass so that you can regain access to your account. We will also remove the stolen/lost device from your account, and help you set up a new MFA method.

I don't have, or don't want to use, my mobile device for MFA. What can I do?

We offer security keys free of charge, or you can bring your own; they are similar to a USB thumb drive and you do not need a separate device to use the security key. For more information, please refer to the article on security keys.
 

I have other questions

We would like to have anyone who has remaining concerns reach out to the Cybersecurity team. We are proceeding with this rollout knowing there are going to be questions, and we will endeavour to answer each one. In doing so we will be transparent about why this is necessary, and how this will improve security and privacy for our community. Open a ticket with the Service Desk, or email our team at cybersecurity@ufv.ca.