uog logo
School of Physics and Astronomy – computing
phas it logo

Contents

MFA changes (2023 February 16)

Later this month, Central IT will be adding to the oneline services that require MFA. So (a), don't be surprised when that happens, but (b) this makes it very important to observe good practice when using ‘generic login’ computers.

Information on a service change, and MFA §

Later on this month (from about the 20th) IT Services will be starting to turn on MFA-based access to more services. That list of services will eventually include at least MyCampus, CoreHR and VPN. From then, you'll need your MFA token, as well as your password, to get access to these services, just as you are now used to doing for access to email.

This is a security improvement. It makes it harder for someone who has breached an account to get access to student records (major data breach, GDPR, etc) or your private information.

An advantage for you is that this should also decrease the number of times you have to log in to services, since if you are logged in to Azure Single Sign-on (for that's the name of what we're talking about here) on one service such as Teams, then you are also logged in to your account on other connected services such as CoreHR.

You do not have to take any action here, but do not be surprised when you see a change in the process of connecting to these services, later in February.

A warning about a wrinkle §

The warning is that this change increases the down-side of carelessly using a shared computer login. So you might need to be aware of that.

If you use a shared login on a computer, and log in to an MFA-protected service, then the login token will be valid for around 30 days, giving anyone else who uses that shared login access to services, such as CoreHR, as you.

In various contexts – perhaps in research labs, in some teaching labs or lecture theatres, or in some admin contexts – it's occasionally convenient for several people to share a login+password on a machine. On such a machine, we generally recommend against doing anything which requires a login. That includes things like checking your gmail account, for example; it now also includes using an MFA token.

If you do need to log in to such a service from such a machine, then

This is fundamentally the same risk as (for example) using browser mail on such a machine, but with a bigger down-side, and potentially putting other people's data (eg, contained in MyCampus) at risk.

Even if you never use such a shared login...

...The same applies if you are borrowing a browser window on someone else's machine, perhaps to quickly check your email, or to check details on a student. In such a case, make sure to use private browsing, and be sure to positively log out afterwards (again, this is good general advice, and I repeat it only to stress the changed down-side)

Notes and clarifications §

Note 1: to be clear, we're not talking here about your login to your personal desktop machine – remaining conveniently logged in to Azure is useful for that, by design. This is just for a shared account+password on a machine, or another occasionally used machine.

Note 2: we can put in place some technical mitigations, on some machines, so that they default to using private browsing, but this won't work for all examples here, and technical mitigations will only go so far.

Norman, for P&A IT