Introduction to MFA
What is MFA?
Multi-factor authentication (MFA) strengthens access security by adding an extra layer of protection on top of your username and password.
MFA requests that you provide at least two pieces of evidence at login to verify that you really are who you say you are:
Something you know: a password, pin or passphrase.
Something you have: a physical device you have with you when you're logging in, for example a mobile device or hardware token.
You may have experience of using this type of protection for your personal online accounts for example when you have to enter a code sent to you by your bank.
This means anyone trying to hack into your University account would need to have both your password and mobile phone to gain access. This relatively simple change has been put in place at other universities and has effectively eliminated account compromises arising from stolen passwords (for example phishing and password reuse on hacked external websites).
Why do we need it?
Our University IT accounts were previously only protected by passwords–something you know. As part of the Cyber Security Programme, we now require users to also demonstrate something they have. This security control effectively limits the exploitation of lost/stolen/shared passwords and has revolutionised online account security.
The use of MFA applications is commonplace when accessing sensitive systems (for example your own bank account), is mandated in the majority of industries processing sensitive data (for example finance, public sector, research and development) and is increasingly common for individuals protecting themselves (for example personal email and social media).
A rapid shift to remote working has further increased the likelihood and impact of cyber attacks. Leveraging the fear, uncertainty and urgency that surrounds the current COVID-19 pandemic, cyber criminals are crafting very believable phishing campaigns, often targeting valuable university systems and data.
How does it work?
We've made the MFA process as simple as possible, whilst still providing excellent security for your University account.
Watch our video on how MFA works at the University:
About our provider
The ease of using MFA has increased significantly in the last 3 years; with the majority of interactions taking place using mobile phone apps.
For the best possible user experience and minimal overheads we recommend use of the Duo mobile app by default, with a hardware token offered (to staff and postgraduate researchers only) as an alternative where required (e.g. cleanrooms, accessibility requirements, personal concerns about use of a personal device).
How do I get started?
MFA is now mandatory for all staff and student University IT accounts. IT Any member of the University can sign up for MFA.
New staff and students joining the university are automatically enrolled in MFA and will be prompted to register a device within 24 hours of the activation of their IT account.