Multi-Factor Authentication for Faculty and Staff

Multi-Factor Authentication

The use of multi-factor authentication (MFA) to log in to applications has been shown to be one of the most effective controls against account compromise. As a result, MFA has become the standard across industry sectors, including higher education, and specifically with our peer universities across Canada. Most members of the U15, an association of fifteen leading research universities across Canada, as well as other large universities around the world, have already implemented MFA for their faculty and staff.

As a continuation of our efforts to safeguard sensitive information and data within the University of Alberta community, the AVP Chief Information Officer and I, with the Provost and Vice-President (Academic) and VP University Services & Finance, have prioritized use of MFA within the university.

The best MFA experience is through a smartphone authenticator app. For our MFA system, the university selected the Duo Mobile MFA authenticator app, which has been approved and validated across industries, government agencies, and has passed our own reviews that hold U of A stakeholders’ privacy and security with the highest of importance. Duo Mobile MFA is safe, secure, with only one purpose: to interface with the university’s CCID authentication system, allowing a user to approve a notification on their device.

MFA is expanding to all University of Alberta faculty and staff in a phased rollout that started on December 2, 2022. Stay tuned to your inbox for instructions on how to set up MFA.

We’re looking forward to this added layer of protection for the university, which will only keep our accounts and data that much safer.

Gordie Mah
Chief Information Security Officer

FAQs

What is multi-factor authentication?

Multi-factor authentication (MFA) is the process of confirming a person’s identity using multiple factors to verify who they are when accessing systems. Typical factors for MFA include: something you know (like a username and password), something you have (like a passcode sent to your smartphone), and something you are (like a fingerprint scan). MFA requires at least two of the three factors. In the university’s deployment, after entering the CCID username and password, MFA is a second layer of security (or second factor) used to log into a service.

Who will be required to use MFA?

All faculty and staff CCIDs will be required to use MFA. MFA will not be required on secondary, department or student group CCIDs at this time.

Why has MFA been introduced?

As a member of the university community, you are entrusted to manage university information, which includes the personal, financial and academic information of students, faculty and staff. If your account is compromised, this sensitive information and data is at risk. Using MFA to log into applications has been shown to be one of the most effective controls against account compromise.

What applications does MFA apply to?

MFA will be required to log into university applications and systems that use the CCID for authentication. Some examples include the PeopleSoft (Campus Solutions, Finance and HCM), MyCCID and IAM (Identity and Access Management) systems, and Google Workspace apps (Gmail, Drive, Calendar, Docs, etc.). Future phases will include eClass and VPN.

Why do I have to use MFA to log in to my Google apps and how often will I need to do that?

Google Workspace apps are the most used tools at the University of Alberta. They store our data, require our credentials and are interacted with on a daily basis. Requiring MFA authentication to access Google apps will further reduce the risk of cybersecurity events within the U of A community. All MFA users will be required to complete MFA authentication at least once every 14 days, as that is the standard Google session length after a successful authentication.

What Google apps will require MFA authentication?

All Google apps will trigger the need to authenticate with MFA once per 14 days, which is Google’s security standard. That authentication will only need to happen once per device/browser that you use to access Google, no matter how many different apps you access. For a full list of Google Workspace apps, please see the list of available core apps.

I am being asked to authenticate more than once every 14 days when I log into Google Workspace apps. Why?

When logging in to Google Workspace apps, your “security token” is kept active for 14 days as per Google defaults. However, you may be asked to authenticate again in certain circumstances, including:  

  • If you log in via a different web browser or device. You will need to authenticate again as each browser/device keeps a separate token.    
  • If you use the top-right menu in Google to sign out of your account, your token will be cleared from the browser/device you were logged in on and you will need to authenticate again.
  • Your browser/device may be configured to clear its cache automatically when you close it, which may also clear your Google security tokens. This would force you to authenticate every time you open a Google Workspace app.

Is MFA mandatory?

Yes, all faculty and staff are required to use MFA in order to access core university applications. During the MFA enrolment process, faculty and staff have the option to enrol using their university or personal smartphone or with a fob device. Use of the Duo Mobile MFA app for authentication is highly recommended.

I am unable to install the Duo Mobile MFA app on a university or personal smartphone. How do I get a fob?

  • North Campus faculty and staff: Fobs are available for pickup from the textbook information desk on the lower level of the U of A Bookstore. You must show a university ONEcard or a government photo ID.
  • Enterprise Square faculty and staff: Please fill out the MFA Fob Request - Alternative Access form. Make sure to set your location as "Enterprise Square." You will be contacted for arrangements to pick up a fob.
  • Augustana faculty and staff: Fobs are available for pickup at the service desk on the main floor in Founders Hall.
  • Campus Saint-Jean faculty and staff: Please contact csjtech@ualberta.ca to arrange fob pickup at Campus Saint-Jean.
  • Not in the Edmonton area: Please fill out the MFA Fob Request - Alternative Access form and set your location as “Not in the Edmonton area.” You will be contacted to determine the best solution for your situation.

Note: Your fob may not be activated for up to two business days after you’ve picked it up. If you need to use a fob, please ensure you pick up your fob early within your 30 day enrollment window to ensure you don’t run into any situations where you can’t access the U of A apps you need to access.

Are there any privacy or security risks to my smartphone when using the Duo Mobile MFA app?

There are no privacy or security risks to your smartphone when using the Duo Mobile MFA app. It is not possible for the Duo Mobile MFA app to access or affect your device or data in any way, other than providing an access prompt notification when you try to log in to U of A applications. There is no location tracking or any other type of tracking or data collection and no risk to any device from the Duo Mobile MFA app. It has only one purpose: to interface with the university’s CCID authentication system and provide an access prompt to your device.

Duo Mobile MFA has numerous industry safety certifications, and has been validated and approved by agencies and organizations around the world including The General Data Protection Regulation (GDPR), which covers privacy laws for EU residents, and the National Institute of Standards and Technology (NIST) in the United States. Read more about Duo’s reliability and industry compliance.

What are the benefits of the Duo Mobile MFA app compared to the key fob authenticator device?

The Duo Mobile MFA app requires only a simple installation on a smartphone device. When you log in to a U of A application, a notification will pop up on your phone for you to approve, you will confirm you initiated the application request and access will occur.

With a key fob authenticator device, you first need to pick up the separate device. When you log in to a U of A application, you will need to refer to a unique code on your key fob and then type it in on the login page on your computer to gain entry to the application.

Use of the Duo Mobile MFA app is recommended. In addition to Duo Mobile being a better user experience, there is a high cost associated directly to the university with the purchase, administration and provisioning of the key fob devices themselves. In keeping with the goals of SET and the University of Alberta for Tomorrow initiative, we are always looking for smart and efficient ways to reduce university operating costs.

Why are we using an authenticator app or fob instead of an SMS/text authentication system, e.g., when I log into some websites?

The best security is what we want for our faculty and staff, data and documents. Authenticator apps such as Duo Mobile MFA are the most secure method as they are tied directly to a physical device and interface directly with the CCID authentication system. SMS MFA systems are less secure as increasingly, there are ways for cybercriminals to hack text messages including re-directs, text message phishing, forged authorization messages, or phone carrier data breaches.

In addition, MFA SMS/text messaging services carry a high cost compared to authenticator apps. So, in addition to authenticator apps providing a more effective and better experience, they are more cost effective for the university, which again is in keeping with the goals of SET and the University of Alberta for Tomorrow initiative.

Where can I find more information about Duo Mobile MFA?

For more information about the Duo Mobile MFA application, please read the Duo Mobile MFA FAQ.

I have a question. Where can I ask it?

If you have any questions about the MFA rollout, please submit it via the IT Service Portal inquiry form.

 

Updated November 14, 2023