Title: MFA Frequently Asked Questions (FAQs)
|
Audience: Staff and Students
|
Applies to: Multi-Factor Authentication
|
Category: Account and Security Information
|
Prerequisites: MFA Access
|
|
Problem: N/A
|
|
Description / Summary: Answers to some frequently asked questions surrounding MFA
|
|
Will CNC see the data on my phone if I use the Authenticator App
-------> No.
Really - this is Jason Clark, come ask me in person, it's definitely no.
What is Multi-Factor Authentication (MFA)?
MFA is a technology designed to enhance the security of the identity verification process.
Your identity information is your user name, which is traditionally verified by your password (single factor of authentication).
There are three potential factors that can be used for multi-factor authentication:
- Something you know (like a password)
- Something you have (like a mobile device, or a hardware token)
- Something you are (like your facial pattern, or your fingerprint)
To complete a successful MFA login, two (or in some cases all three) factors must be use to verify your identity.
CNC requires a second factor of the type "something you have", specifically an application on your mobile device or a hardware token.
Why has CNC enabled MFA?
CNC has enabled MFA to enhance the level of security and integrity of its digital computer systems.
This technology is essential to help reduce fraud and computer based attacks against CNC computer systems.
Do other Universities use MFA to authenticate staff, faculty & students?
Yes, MFA is being used by various institutions and schools to better protect their data and accounts.
Am I required to use MFA?
Yes, this security feature is required for all staff, faculty, students, and alumni. If you do not register by the deadline, you will lose access to email and any other systems protected by MFA. If that happens, please contact the IT Service Desk for assistance.
What applications/systems will require MFA?
The full list of applications/systems protected by MFA is large and continually growing.
The major apps/systems which require MFA include all Microsoft 365 services (your CNC email, Microsoft Teams, etc), Moodle, Zoom, LinkedIn Learning,and TeamDynamix.
How often will I be prompted for MFA during sign-in?
The frequency of MFA prompts will vary based on the application/system, and may change over time. It is expected to be approximately once a month for most systems, though some higher-value/risk systems may more frequent (weekly or daily) MFA verification.
You will also be prompted for MFA anytime that Microsoft detects a possible risk to your account security during the sign-in process. If you are being prompted for MFA on every single sign-in, please contact ITS so that we can review your account and resolve the detected risk.
If you receive an unexpected MFA prompt in the Microsoft Authenticator application (it happens randomly, not during a sign-in event), DO NOT APPROVE IT! It is very likely indicative of someone else attempting to access your account. Decline the prompt, and rest secure in the knowledge that MFA did its job to keep your account (and CNC systems) secure.
Is it OK to use a personal device to register as a verification option for my CNC account?
Yes, it is OK to use your personal mobile device to register as a verification option for your CNC account.
Can CNC wipe my device if I use it as a verification option for my CNC account?
No, CNC cannot perform a remote device wipe if you use the Microsoft Authenticator App as your MFA verification application. CNC will not gain any access to the contents of, or control over, your mobile device.
How long does it take to enroll/register a device for MFA?
Only a few minutes!
Will ITS be supplying Mobile Devices?
No, ITS is not in the position to supply mobile devices. ITS is able to provide MFA Hardware Tokens to employees. See the answer below.
I don't want to use (or don't have) a Mobile Device. What can I do?
Employees can request an MFA Hardware Token by submitting the MFA Hardware Token Request Form: https://cnc.teamdynamix.com/TDClient/56/Portal/Requests/ServiceDet?ID=2681
Does MFA work with EduRoam?
CNC ITS needs to engage the partners that we work with to provide the EduRoam service before any changes will be made to the existing configuration.
Does MFA work with *nix?
Yes, MFA works with *nix.
MFA prompts will happen at the time of application access, for example Outlook on the Web. As long as your browser or application is up-to-date and supports modern sessions/modern authentication, you will be able to use MFA.
Does MFA work with Apple (mac)?
Yes, MFA will work with Apple products using the following Apple operating systems: iOS, MacOS, and iPadOS
MFA prompts will happen at the time of application access, for example email on the web. As long as your browser or application is up-to-date and supports modern sessions/modern authentication, you will be able to use MFA.
Why is SMS not an option for verification?
At the recommendation of the IT Security Office, CNC's MFA solution will not allow SMS as a verification method.
There are conditions by which threat actors can receive one-time SMS codes on your behalf, without your knowledge.
Industry best practice and guidance encourages the use of mobile device applications as the best possible solution for MFA verification.
Will MFA work out of cell coverage (eg. while on a plane)?
MFA is used to verify your identity when signing into applications. If you have WIFI on your flight, you may be prompted for an MFA sign in; at that time you would need to use your mobile device or hardware token to verify your identity. The push authentication prompt in Microsoft Authenticator will not appear when the device is in airplane mode, but the six-digit code for your account (generated in the app every 60 seconds) can be used instead.
Can I use Google Authenticator (or other apps) to verify my identity?
Google Authenticator (and other non-Microsoft authenticator apps) can be used to verify your identity. You will be able to register that application during the MFA registration process. When using an authenticator app other than Microsoft Authenticator, you will lose the benefit of push authentication prompts, and will instead need to manually enter the six-digit code from the authenticator app when prompted for MFA verification.
CNC ITS is not able to provide support for the use of authentication apps other than Microsoft Authenticator.
What is a Hardware Token?
A hardware token is a small device that can fit on your key chain or key ring, which generates a new 6-digit PIN every 60 seconds.
CNC has found and tested DeepNet Security's SafeID hardware tokens. They have been found to be robust and economically efficient.
Above is an example of the hardware token that you will receive. Its overall dimension's are 44mm x 19mm x 6.5mm. It has a button on the back of the token to display the PIN.
Can I have more than one Hardware Token?
No. Only one hardware token can be associated with an account at a time.
What if I lose/forget my Hardware Token?
If you forgot your token (eg. you left it at home and you're at work), you can contact the Service Desk. You will be asked some identify verification questions, after which your account will be temporarily set to bypass the MFA requirement during login. This bypass will last for eight (8) hours.
If you lost your token, inform ITS immediately so that it can be decoupled from your account and we can issue you a new token. If the token is later found please return it to ITS, as it can be safely re-used on a different account.
What information can CNC see if I register a personal mobile device?
CNC ITS will be able to see the following information:
- Device Model
- Device Manufacturer
- Operating System and version
- Device Owner
- Device Name
- Device Serial Number
- IMEI
CNC ITS will NOT be able to see the following information:
- Calling and web browsing history
- email and text messages
- contacts
- calendar
- passwords
- pictures, including what in the photos app or camera roll
- files
What recommendations does ITS have for device use?
ITS recommends the Microsoft Authenticator app; it is available for all major mobile devices, it is convenient, and allows for quick one-touch verification.
Example of Authenticating with the Microsoft Authenticator App
- You login to your email account on your computer
- You may get a prompt for “Approve sign in Request”
- Your mobile device will show a notification: “Approve sign in”
- Tap the Approve option on mobile device notification
- The email application on your computer will complete the log in process, and you can continue with using your email.