How to use MFA at CDU

Introduction

We want to make it as easy and secure for staff to use IT Services at CDU. To do this we are evolving from our existing authentication 2FA (Two-Factor Authentication) to MFA (Multi-Factor Authentication).

ITMS have a vision to move towards a seamless and more secure login experience. In doing so however, there are a few things we need to do along the way. To do this we need to make some changes and the first of those will be enabling Microsoft MFA.

Tip: Set up an additional methods of Authentication, such as your desk phone, in case you forget or lose your mobile.

Note: MFA only applies to Staff and NOT Students

Open all | Close all

Setting up MFA

How to set up MFA with a mobile device - Video

INSTRUCTIONS

Note: The size and speed of the video are configurable using the play menu.

How to set up alternate or additional methods of Authentication

INSTRUCTIONS

Note: If you haven't added your picture you will see your initials in the top right corner.

Video


I have a mail client (iOS or Mac or other application) that does not support MFA. How can I connect it?

The preference is to use the Outlook App on these devices which is MFA aware, and then you need to remove and add your CDU email account again.

For specific instructions on how to setup mail on your own device, see Connect your personal device to your CDU email account.

Background

Why is CDU swapping from 2FA to MFA?

CDU is obliged to manage a greater cybersecurity threat than ever before. Increasing the authentication factor options, means that the greatest threat of password compromise is vastly diminished. But we know this can't just about security. We need to seek the right balance between security and usability matched to an aspirational goal of a password-less future. ​We envision that one day it may be as simple as entering a pin or using your face or fingerprint to authenticate to all your services.

What Authentication methods are available?

Methods available include;

  • Authenticator Application - Application on your smartphone where you get a prompt to either approve or deny the login or a 6 digit Pin
    (NB The Approve/Deny will not be immediately available as default, but will be coming soon, and you will need to rely on the Pin at least initially.)
  • Mobile Phone - either an SMS message with a code you need to type in or a callback where you have to press the # key (Microsoft call this the pound key)
  • Office Phone - Your desk phone where you receive a callback and have to press the # key
  • Alternate phone - as above, but a different number, maybe your home number.
  • Security Key - A security fob key, such as a YubiKey
  • App Password - A special password to allow applications, that can't handle MFA, to connect with. (Such as an older email application, these need to be requested from ITMS) There is a limit of 40 App Passwords per person.

Which method is more secure?

Generally application authentication is seen as a more secure option due to the encryption of the application and challenge/response system, particularly for overseas travellers.

Which method is easier to use?

For general portal login, the application will be easier as it is a tap to approve and does not require a code to be entered. For VPN users there is still a code to be entered.

Who will be affected?

CDU Staff will be affected and will be required to confirm their multi-factor preference once they log-in on Monday morning, Staff can choose to remain with their SMS method or choose the new Microsoft Authenticator application which is linked below.

CDU Students are NOT affected. (Students will see a cosmetic change to the appearance of the login window.

What can you do now?

You can install the Microsoft authenticator from your app store (Apple or Android) so that once the change is made you will be ready to go ahead and register.

Use this QR Code to go directly to your phone's app store.

or use these links Android Play or Apple iStore for iPhone

This will replace your current app when we change. We will provide more details in the coming days.

Come back here to check for updates!

 

Frequently Asked Questions

Do I have to install the Microsoft Multi-Factor Authenticator on my phone?

No you do not have to install Microsoft Multi-Factor Authenticator on your phone, you can use the following options for authentication:

  • Use an existing (One Time Password) application such as Free OTP or Google Authenticator, but these still need to be used to register for MFA,
  • Receive a code via SMS,
  • Receive an automated voice call on your phone (mobile, landline or desktop),
  • Receive an email to a personal email account
  • Use a 3rd party USB hardware key (Yubikey)

Why does ITMS recommend the use of the Microsoft Authenticator application?

  • Simple one button press for approval. There is no need to type a code from your phone into your computer, simply press approve on your phone and you will be authenticated.
  • Trouble shooting and resolving MFA issues are easier to resolve for those using the preferred application.
  • Using code based or pass-through approval is the most secure method of MFA.

Microsofts FAQ

What data is collected and what does the Microsoft Authenticator do on my phone?

  • It has no other function than enabling authentication.
  • It does not store or read data from your phone or otherwise report on, or provide 3rd party information about you or your phone to Microsoft or ITMS.
  • Unless you choose to receive SMS codes, Microsoft does not store your phone number. (If you choose SMS, the phone number is securely stored only for the purpose of sending security codes, it is not available to be reported or seen by ITMS or anyone else.)

How does MFA work with the Cisco AnyConnect VPN Client?

Once you have logged into the Cisco AnyConncect VPN client with your CDU username and password. You will be presented with the MFA verification. Unfortunately this only works with your "Default Sign-in Method" and not any secondary methods you may have added. The default can be changed by going to you Security Info and changing the verification method.

INSTRUCTIONS

1. Click the Change link

2. Choose another method you have previously setup.

3. Press the Confirm button

I have left my mobile phone at home (or it's flat), how can I use MFA?

Ideally when you set up your MFA you added your desk phone number as an alternate method.

However, if you didn't you can contact ITMS, and we can add your desk phone on your behalf.

You then need to login again and this time when the dialogue box pops up asking you to Enter Code select "Sign in another way".

Then select the phone that has the number ending in the last 2 digits of your extension.

Your desk phone will ring and a voice will ask you to press the # key.

The dialogue box on your computer will then disappear, and you will be logged in.

This will be a permanent alternate method of using MFA.

Is Learnline Login affected?

For students there will be no additional login steps required, the Learnline portal will still provide the same login rules as before, however the login windows does look a little different.
For CDU Staff who access Learnline via the portal, they WILL have to set up their new MFA preference before it can be accessed.

More information about App Passwords

An App Password needs to be requested from ITMS

Here is further information regarding App Passwords

  • There is a limit of 40 App Passwords per person
  • App passwords aren't automatically revoked when a user account password is revoked / reset. The user should delete existing app passwords and create new ones.
  • It's recommended to create one App Password per device, rather than one app password per application.  (EG Have a Desktop App Password or a Laptop App Password) Then anything on a device shares the same App Password. If the device is lost then any app that uses the same password can be revoked at the same time.

Quick Quiz

ITMS

Contact information

W: logit.cdu.edu.au

Location
IT Kiosk, Red 8, Casuarina campus
Office hours: 8am - 4pm, Mon- Fri (CST)

Telephone
08 8946 6600 (ext 6600)
Phone hours: 7:30am - 6pm (Mon - Thu)
7.30am - 5.30pm (Fri)

News

ADAPT Technologies


The ADAPT technologies make it easier to access your work across a variety of devices.

Find out more about how ITMS are making the transition to ADAPT.

Related links