Multi-Factor Authentication (MFA)
Multi-Factor Authentication (MFA) is a way of confirming your identity with something you have, typically a phone. After entering your username and password, as usual, you can tap on a notification in a mobile app or receive a six-digit code via phone call or SMS text message. ICT Services are currently working on making the experience as smooth as possible. You may well know that this approach is being taken by other organisations such as banks and other commercial companies.
“The data we all work with every day is incredibly valuable and much of it is entrusted to us by our students, staff and partners and we have to do all we can to protect it… These extra security measures will help protect this data appropriately from the increasing threat from attacks that are actively targeting the HE sector phishing for information from our staff and students as well as other attempts to compromise our accounts.”
-Professor Mary Stuart, Vice-Chancellor
What is MFA?
MFA is a security system that requires more than one method of authentication from independent categories of credentials to verify your identity when signing in to certain services. https://www.youtube.com/watch?v=uWbkLuI4g30
Why has this been introduced?
As part of a programme of ongoing security improvements, strengthening authentication has been identified as critical.
Will I have to use a second verification method every time I sign in?
No, when you get a pop up asking for your second factor there is a tick box you can select to have it remember the sign-in for 30 days. It is only recommended that you do this if you trust the device and will be using it again. This applies only to the application you are in so you may find that you have to do this for a couple of sign-ins on your device (MS Office, your browser and Skype for example) but after that, you should not have to verify your sign-in on that device until the next month.
What if I asked for a device to be trusted for 30 days but I have lost it or don’t trust it anymore for any reason? Go to https://lncn.ac/mfaconfig and scroll down to near the bottom where it says ‘restore multi-factor authentication on previously trusted devices’ and click on the ‘Restore’ button.
What other changes have been introduced?
The Password Policy has also been amended, please visit the portal for further clarification on the new requirements.
What is the best way to set up MFA initially when I am asked?
Do it on a computer rather than on your phone.
In Step 1, for ‘How should we contact you?’ Choose ‘Mobile app’ and for ‘How do you want to use the mobile app?’ choose to Receive Notifications for Verification.
Follow the instructions on the screen to install the Microsoft Authenticator App on your phone and add your University account to the App.
How to get the Mobile App
Once downloaded, configure the app so that it can be linked to your University Account.
- Swipe through the introduction screens.
- Select the “Add Account” button.
- Choose “Work or school account”.
- Scan the QR Code which appears on your computer screen after selecting the Mobile App option, or enter the code manually.
- Follow the instructions which appear to finish configuring the App for MFA.
In Step 2 you verify that you receive the notification successfully and in Step 3 you are asked to add a phone number. Adding some additional options such as your mobile number and desk phone (if you have a direct line) is really helpful in case you are ever unable to receive a verification notification through the app. Put in your mobile number in Step 3. Once this is complete, go to https://lncn.ac/mfaconfig and sign in. On this screen, you can add or remove MFA methods and select which one you will use by default.
How do I change my MFA settings?
Go to https://lncn.ac/mfaconfig and sign in. On this screen, you can add or remove MFA methods and select which one you will use by default.
Can I opt-out of setting up MFA?
No, all staff are required to have their accounts protected with MFA.
Will I need to verify my identity with MFA every time I sign in?
No, you have the option to tick a box that says, “don’t ask me again for 30 days” when you sign so that the next time you sign in on this device, MFA won’t be required.
What if I do not have my mobile at hand and this is the only method of authentication I have set up?
What do I do if I get a new mobile? Go to https://lncn.ac/mfaconfig. On this screen, you change your MFA options including changing a phone number and setting up the Authenticator App to receive notifications (the option for second-factor verification).
What do I do if I cannot get into my account?
Contact ICT support via the usual channels.
How many options should I set up for MFA?
The recommendation is at least 2, so if you forget your mobile phone, for example, you have another method set up.
I have already set up my security questions using the password reset tool, sspr.lincoln.ac.uk. Why do I have to do this as well?
The password reset tool allows you to verify your identity and recover access to your account in case you forget your password. The contact information, such as a phone number, is shared across both services.
What should I do if I receive a verification request such as an SMS or phone call but I was not trying to sign in?
If a call ever comes into a University landline phone number asking for verification, unless you are expecting the call, do not verify it! If this happens more than once, please report it to the ICT Service Desk.