How to use MFA at CDU

Introduction

We want to make it as easy and secure for students and staff to use IT Services at CDU. To do this, we are implementing MFA (Multi-Factor Authentication).

ITMS have a vision to move towards a seamless and more secure login experience. In doing so, however, there are a few things we need to do along the way. To do this we need to make some changes and the first of those will be enabling Microsoft MFA.

Note: All student accounts will transition to MFA in stages throughout Semester 2 2021 (August-November 2021).

Open all | Close all

Setting up MFA

How to set up MFA with a mobile device - Video

INSTRUCTIONS

Note: The size and speed of the video are configurable using the play menu.

How to set up alternate or additional methods of Authentication

INSTRUCTIONS

Note: If you haven't added your picture you will see your initials in the top right corner.

Video


I have a mail client (iOS or Mac or other application) that does not support MFA. How can I connect it?

The preference is to use the Outlook App on these devices which is MFA aware, and then you need to remove and add your CDU email account again.

For specific instructions on how to setup mail on your own device, see Connect your personal device to your CDU email account.

I have a personal Microsoft account, what should I do?

If you use a personal Microsoft account, you need to add your Student Microsoft account, so you can choose which one to use.

INSTRUCTIONS
Here is how to use it.
 
1.    Select your CDU student account if you have logged in before and go to step 3,
otherwise select “Use Another Account

2.    If you selected “Use another account” enter your student email address
(EG S123456@students.cdu.edu.au

3.    Enter your CDU password and click sign in

That’s it, you are logged in to your account

Background

Why is CDU implementing MFA?

CDU is obliged to manage a greater cybersecurity threat than ever before. Increasing the authentication factor options, means that the greatest threat of password compromise is vastly diminished. But we know this can't just about security. We need to seek the right balance between security and usability matched to an aspirational goal of a password-less future. ​We envision that one day it may be as simple as entering a pin or using your face or fingerprint to authenticate to all your services.

What Authentication methods are available?

Methods available include;

  • Authenticator Application - Application on your smartphone where you get a prompt to either approve or deny the login or a 6 digit Pin
    (NB, The Approve/Deny method is the default (and simplest) for Students and new staff. Existing staff can change to this, but please be aware of how interacts with VPN).
  • Mobile Phone - either an SMS message with a code you need to type in or a callback where you have to press the # key (Microsoft call this the pound key)
  • Office Phone - Your desk phone where you receive a callback and have to press the # key
  • Alternate phone - as above, but a different number, maybe your home number.
  • Security Key - A security fob key, such as a YubiKey
  • App Password - A special password to allow applications, that can't handle MFA, to connect with. (Such as an older email application, these need to be requested from ITMS) There is a limit of 40 App Passwords per person.

Which method is more secure?

Generally application authentication is seen as a more secure option due to the encryption of the application and challenge/response system, particularly for overseas travellers.

Which method is easier to use?

For general portal login, the application will be easier as it is a tap to approve and does not require a code to be entered. For VPN users there is still a code to be entered.

Who will be affected?

CDU Staff will be affected and will be required to confirm their multi-factor preference once they log-in on Monday morning, staff can choose to remain with their SMS method or choose the new Microsoft Authenticator application which is linked below.

CDU Students will soon be affected.

What can you do now?

You can install the Microsoft authenticator from your app store (Apple or Android) so that once the change is made you will be ready to go ahead and register.

Use this QR Code to go directly to your phone's app store.

or use these links Android Play or Apple iStore for iPhone

This will replace your current app when we change. We will provide more details in the coming days.

Come back here to check for updates!

 

Frequently Asked Questions

Do I have to install the Microsoft Multi-Factor Authenticator on my phone?

No you do not have to install Microsoft Multi-Factor Authenticator on your phone, you can use the following options for authentication:

  • Use an existing (One Time Password) application such as Free OTP or Google Authenticator, but these still need to be used to register for MFA,
  • Receive a code via SMS,
  • Receive an automated voice call on your phone (mobile, landline or desktop),
  • Receive an email to a personal email account
  • Use a 3rd party USB hardware key (Yubikey)

Why does ITMS recommend the use of the Microsoft Authenticator application?

  • Simple one button press for approval. There is no need to type a code from your phone into your computer, simply press approve on your phone and you will be authenticated.
  • Trouble shooting and resolving MFA issues are easier to resolve for those using the preferred application.
  • Using code based or pass-through approval is the most secure method of MFA.

Microsofts FAQ

What data is collected and what does the Microsoft Authenticator do on my phone?

  • It has no other function than enabling authentication.
  • It does not store or read data from your phone or otherwise report on, or provide 3rd party information about you or your phone to Microsoft or ITMS.
  • Unless you choose to receive SMS codes, Microsoft does not store your phone number. (If you choose SMS, the phone number is securely stored only for the purpose of sending security codes, it is not available to be reported or seen by ITMS or anyone else.)

How does MFA work with the Cisco AnyConnect VPN Client?

Once you have logged into the Cisco AnyConncect VPN client with your CDU username and password. You will be presented with the MFA verification. Unfortunately this only works with your "Default Sign-in Method" and not any secondary methods you may have added. The default can be changed by going to you Security Info and changing the verification method.

INSTRUCTIONS

1. Click the Change link

2. Choose another method you have previously setup.

3. Press the Confirm button

NOTE: Warning to VPN users who use Approve-Deny MFA method

If you use the "Approve-Deny" method of MFA with the AnyConnect VPN client. Once you have entered your username and password and clicked "OK" there is no indication that an "Approve-Deny" message has been sent to your authentication device, and it might appear that the VPN has frozen.

This is not the case, it is waiting for you to "Approve" the connection on your authentication device. Once "Approved" on your device, the VPN will connect as normal.

I have left my mobile phone at home (or it's flat), how can I use MFA?

Ideally, when you set up your MFA you added your desk phone number or alternate phone number (such as home phone) as an alternate method.

However, if you didn't, you can contact ITMS, and we can add your desk phone or home phone on your behalf.

You then need to log in again and this time when the dialogue box pops up asking you to Enter a Code, select "Sign in another way".

Then select the phone that has the number ending in the last 2 digits of your extension.

Your desk phone will ring, and a voice will ask you to press the # key.

The dialogue box on your computer will then disappear, and you will be logged in.

This alternate method of using MFA can be used repeatedly.

If you are still having issues, please contact the ITMS Service Desk on (08) 8946 6600 during NT office hours.

How can I transfer my Microsoft Authenticator details to a new device?

You can transfer your CDU MFA details to a new device by following the instructions here.

Back up and recover account credentials using the Microsoft Authenticator app

Is Learnline Login affected?

For students, that have MFA enabled, you will need to use it to access Learnline. Other than that, the Learnline portal will still provide the same login rules as before, however the login windows does look a little different.
For CDU Staff who access Learnline via the portal, they WILL have to set up their new MFA preference before it can be accessed.

More information about App Passwords

An App Password can be used if you have an application that is not MFA aware and there are no alternate Apps that are aware. App Passwords need to be requested from ITMS

Here is further information regarding App Passwords

  • There is a limit of 40 App Passwords per person
  • App passwords aren't automatically revoked when a user account password is revoked / reset. The user should delete existing app passwords and create new ones.
  • It's recommended to create one App Password per device, rather than one app password per application.  (EG Have a Desktop App Password or a Laptop App Password) Then anything on a device shares the same App Password. If the device is lost then any app that uses the same password can be revoked at the same time.

Quick Quiz

ITMS

Contact information

W: logit.cdu.edu.au

Location
IT Kiosk, Red 8, Casuarina campus
Office hours: 8am - 4pm, Mon- Fri (CST)

Telephone
08 8946 6600 (ext 6600)
Phone hours: 7:30am - 6pm (Mon - Thu)
7.30am - 5.30pm (Fri)

News

ADAPT Technologies


The ADAPT technologies make it easier to access your work across a variety of devices.

Find out more about how ITMS are making the transition to ADAPT.

Related links