Multi-factor authentication (MFA) – FAQ
This is also known as ‘Two-factor Authentication’ (2FA).
For some overview remarks, see the MFA overview.
What services use 2FA/MFA? §
At the moment this seems to be confined to Microsoft services (Email, Onedrive, Office 365). We suspect that extending it to other services (Core, Agresso, Helpdesk etc.) will happen slowly if at all.
This is a general authentication method, and outside the university there are many other online services (for example Github and HMRC) which optionally use the same technology.
But I don't use Outlook for my mail! (or: how do I set up Thunderbird/Mail/etc...?) §
What will typically happen is that, from time to time, on a roughly fortnightly timescale, your mail client will open up a webpage and ask you to give username, password and six-digit code from the token. If your client is old or odd, then this could be a problem.
You will need to use a client that supports ‘OAuth2’.
If you use a fairly recent/mainstream email client, then it should be able to manage this. Depending on the client, it might be as simple as finding an ‘OAuth2’ box in the IMAP and SMTP configurations for a particular email account, and ticking it. If you use an unusual or old email client, this is the step where things might go wrong.
We have some rather random notes on particular email clients. Updates are welcome:
- Outlook: nothing can possibly go wrong.
- Thunderbird (at least v78): you need to go to the account settings for your Glasgow email account, and select ‘OAuth2’ in the ‘Authentication’ options for both IMAP and SMTP.
- Mac Mail: if your GU account is set to being an ‘Exchange’ account in the ‘Internet Accounts’ System Preference (which is probably the best option), then this should be automatic.
Note that each of the above clients is listed as ‘supported’ by Central IT, so the campus helpdesk should be able to give advice if necessary.
Remember that you can always use webmail as a temporary workaround.
What is the ‘best’ method to use? §
The most common method for authenticating is to use an app on a smartphone.
You might first consider using Microsoft Authenticator app. As you might expect it integrates the closest with the Microsoft Office 365 accounts - you just authorise the signin and it magically works - no six-digit codes required. Links to download the app for Android and iOS can be found at
https://www.microsoft.com/en-us/security/mobile-authenticator-app
Note that there's no reason why you can't have multiple authenticator apps installed (well known alternatives include Authy and Google Authenticator; look at your phone's App Store for inspiration), but equally well, there's no need to have more than one.
In theory any auth app that supports TOTP algorithms should work. Setup guides:
Option 2 is to use SMS text messages sent to your phone. This is in theory less secure, but might have the benefit of familiarity, and is how many websites (e.g. your bank) implement 2FA. You can set this up by visiting https://mysignins.microsoft.com/security-info and adding your phone number(s) to the methods supported. It is probably a good idea to do this anyway to ensure you have a backup option. In particular, the Microsoft authenticator is usually reliable, but very occasionally will glitch and refuse to talk to the servers.
Option 3 is to have a separate physical token, and carry this about. See below.
Do I have to use the authenticator app every time I check my email? §
No. IT Services have (currently) configured their systems so that you will have to use the app at least once a fortnight, but your access will remain as before, between those checks.
I'm being asked for my password twice, and I'm sure I got it correct! §
This is quite a common quirk of the system. Yes it's annoying. No, we don't know how to fix it.
And yes, often Onedrive asks for authentication, and then Outlook does as well, with both needing two entries of the password. Usually when you're in a hurry.
When is the best time to set it up? §
Certainly not just before a deadline, or on a Friday afternoon! Note that the current choices in the Helpdesk opt-in form are ‘Now’, ‘On Tuesday at 09:00’, ‘On Wednesday at 09:00’, ‘On Thursday at 09:00’.
Our experience is that it's a little fiddly to set up the very first time, but works reliably after that.
What happens if I lose/break my phone? §
Ideally, you have another device (phone, tablet etc.) that either has a backup phone number to receive texts, or another installation of the authenticator app (and you have set this up previously at https://mysignins.microsoft.com/security-info). If you do not and you cannot log in then you should contact the helpdesk Note that in common with all the other non-Microsoft University web services, logging in to the helpdesk only requires your password.
How do I back up my authenticator app data? §
- Microsoft authenticator: You can do this with this page ‘Back up and recover account credentials using the Microsoft Authenticator app’. Note that for this you need a personal Microsoft account (and also an iCloud account for iOS devices). Whether this is compatible with University security guidelines is unclear.
- Authy: Can be backed up - see the description at ‘Prevent Account Lockouts When You Lose Your Phone’
- Google Authenticator: cannot be backed up (although accounts can be transferred from old to new phones).
Do I still have to change my password every year? §
Sadly, yes. As mentioned none of the non-Microsoft services currently use 2FA, so a strong password is still required.
I don't have a smartphone, and cannot receive text messages. §
There are physical tokens available which generate verification codes to allow 2FA logins. These are quite expensive, and IT services are reluctant to hand them out without a good reason. See below for the process to request one.
Note that the TOTP authenticator app on your phone does not need a network, or a phone signal, to work (the way the system works is by mixing a pre-shared secret with the current time, to give the six-digit code, valid for 30s around the current time; thus the system works as long as your phone knows the roughly correct time).
Getting a physical MFA token §
Information Security have covered this well, however there is an additional MFA method that may be available under specific circumstances.
If you require a dedicated physical token for multi-factor authentication, IT Services require all individuals to raise a service request for themselves due to the device being tied to that single person.
To raise a request, log in to the UofG Helpdesk and select the 'Service Catalog' menu item from the left.
Once loaded, enter 'mfa' into the search field, which will return two options; 'Multi-factor Authentication Opt-in' and 'Multi-factor authentication help'. Raise a ticket under the help option.
Note: Opting in will result in your account becoming potentially inaccessible if you can't associate an MFA authenticator with your account. This may be why you are reading these notes!
In the new service request, select the category "General multi-factor authentication question".
You should then advise:
- That you are looking for a physical MFA token
- Justification for requesting the token:
- Lack of compatible device for the authenticator app?
- Little or no phone signal for SMS authentication option?
- Other?
Once submitted, IT Services will be in contact to continue the process (it is reportedly a rather protracted process).
Can I use my YubiKey (or other FIDO2 security key) for this? §
Neither P&A IT nor Campus IT formally support this mechanism, but for information...
It is also possible to use a Yubikey (or other security key that supports FIDO2). You will need one or more keys, and then request that the helpdesk enable YubiKey/FIDO2 devices. You can then enrol the keys to your GU Microsoft account.
For more detail see Notes on setting up YubiKeys.
It is also possible to use these for other online accounts - e.g. Gmail, Facebook, Instagram, Twitter and so on. Yubico has a list of these. (Annoyingly, most banks do not support these, at least for consumer accounts).
As it happens, the same company also distributes a Yubico Authenticator app, which works broadly like any other TOTP app.
What's happening behind the scenes? §
(You don't have to care about this to use the system, but just in case...)
The point of ‘MFA’ is to provide two ways of proving who you are, when you log on.
The 'multi' in the 'multi-factor authentication' is 'something you know plus something you have'. You know your login password, but other people might know it, too (they're not supposed to, of course), and the 'something you have' is a physical, unique, token. That token may be an issued thing, which you therefore have to carry around with you (on a key-ring?): the login process asks you ‘what is the number showing on the front of the token?’. Alternatively, 'the token' can be a mobile phone, which has an app on it which can produce the six-digit code. This is generally less hassle, in the sense that you probably make a point of carrying the phone around with you anyway. Thus enrolling your phone to do double-duty as 'the token' is intended to be a convenience.
There's the usual surfeit of information on Wikipedia, about MFA and TOTP (no, not Top Of The Pops).