Multi-factor Authentication (MFA) at Okanagan College
Starting in May, Okanagan College will begin rolling out Multi-factor Authentication (MFA) to all faculty, staff, and students for Microsoft 365 and OC applications.
Currently, OC M365 accounts only require a username and password to gain access to applications. When the password is compromised, anyone using that username and password will have access to all the applications and data the rightful user is entitled to have.
What this will mean is that when OC end users access the Microsoft 365 suite of products through their OC credentials, individuals will be required to set up multi-factor authentication to confirm they are who they say they are.
This will include applications such as the following:
-
Microsoft Outlook
-
Microsoft 365 applications: Word, Excel, PowerPoint, OneDrive, and other OC authorized applications from the Microsoft portal
-
Microsoft Teams, SharePoint
For more information on the implementation timeline, please click here.
Implementation timeline
Phase 0: Proof of Concept
February and March
-
Through February and March IT Services has implemented infrastructure changes as well as testing of our accounts.
Phase 1: High-Risk Users Roll-out
April
-
Phased approach of applying MFA to certain user groups (“high-risk” users) for Microsoft 365 services.
Phase 2: Remaining Administrative Staff
June - December
-
Remaining administrative staff will be using MFA for Microsoft 365 services.
Phase 3: Faculty & Instructors
January - March 31, 2023
-
Faculty and Instructors will be using MFA for Microsoft 365 services.
Phase 4: OC Student Accounts
January - TBD 2023
-
All OC students will be using MFA for Microsoft 365 services.
Phase 5: OC Applications
TBD
-
MFA will be required when accessing any and all OC applications.
For more information on the implementation timeline, review the MFA Project Milestones document.
Commonly asked questions
MFA is a technology designed to enhance the security of the identity validation process.
Your identity information is your user name, which is validated by your password (first factor of authentication).
Okanagan College will be requiring an additional factor by way of an application on your mobile device or a hardware token.
There are three factors that can be considered when multi-factor authentication is involved, and two of the three items must be able to be verified. The three things are as follows
- Something you know (like a password)
- Something you have (like a mobile device, or a hardware token)
- Something you are (like your facial pattern, or your fingerprint)
In order to have a successful MFA login two (or in some cases all three) factors must be use to verify your identity.
- Currently, only your password is used to verify that it’s you are logging in with your OC computing ID.
- With MFA, you’ll enter your password as you currently do, and then will be asked to verify your identity with the authenticator app on your mobile device, or enter a time-based code from a hardware token.
- Even if an attacker obtains your password, they won’t be able to complete the login process without the time-based code. This is how MFA acts as an additional layer of defense to protect against unauthorized access to your data.
“Multi-factor” refers to using two or more independent items to verify your identity, typically:
- Some you know (i.e. your OC username and password), and
- Something you have (i.e. a time-based password from your mobile device/hardware token).
This creates a layered defense, preventing further unauthorized access from your OC account if your password is compromised.
You can set-up MFA using one of two methods below:
- The Microsoft Authenticator mobile app
- Generate a digital code using a token
Implementing MFA is rated as the number one activity an organization can do to improve their IT security posture. OC has been impacted by compromised accounts.
MFA has many benefits including enhancing OC’s security. By requiring users to identify themselves by more than just a username and password, we are significantly reducing the risk of malicious attacks and cyber identify theft.
MFA reduces the risk of a security breach and sensitive data stays protected. It also ensures security for personal, institutional, and research data. The reality is that with any organization including OC, employees do fall for phishing scams and do share passwords. If OC does not roll out MFA, we are left vulnerable to attacks and one of the biggest security threats today is the risk of compromised credentials.
MFA will be rolled out college-wide to active faculty, staff, and students starting mid-May. You will receive an email notice to your OC email account with detailed instructions a few days before your account will be affected.
Once MFA has been applied to your account, you will be prompted to set up MFA to access Microsoft 365 applications and related systems.
You may need to MFA more often under certain circumstances, such as connecting from public wi-fi, travel, unusual locations or IP addresses, new devices, accessing new services, or other detected risk factors.
In those cases you will be asked to provide your MFA verification code to verify your identity before granting access, to keep your account safe.
Opt in now to set up MFA
First, select the device you are planning to use for MFA. OC recommends installing and using the Microsoft Authenticator mobile app, as it provides both online push notifications and offline authentication code options for sign-in, which is useful if you are travelling abroad without data. If you do not have a smartphone, you must use a hardware token.
The Microsoft Authenticator takes up very little space on your phone, cannot control your device, and you can choose to use the app without using your data plan.
Next, for the best experience, you will need the following equipment for your MFA set up:
- The device you are planning to use for MFA (i.e. your mobile device or hardware token), and
- A laptop/desktop to assist with the enrollment.
- Refer to the applicable user guide below (Mobile Device or Hardware Token).
Mobile Device
- It’s more convenient
- Estimated 5-minute setup experience to complete the enrollment.
- No additional devices to carry with you; most individuals already keep their mobile devices close by.
- Authenticator mobile app benefits:
- Lightweight app (i.e., approximately equivalent to the size of a photo)
- No personal info collected/tracked
- No internet/data connection needed to function
- Free of charge to use
- Well-known and reputable vendor
- Other mobile app options available; many free apps are available on the app store that supports OC's MFA.
- MFA code can only be accessed by authorized individual of the mobile device
- If lost or stolen, your mobile device may have biometric or other protections (e.g., your phone's passcode lock) that further protect your MFA codes from unauthorized access.
Hardware Token
- It’s less convenient
- Need to obtain a physical token by purchasing or submitting a request to begin the enrollment process.
- An additional device to carry with you; can be easily misplaced due to the small size.
- Non-serviceable, non-rechargeable battery with limited life span.
- No display backlighting: may be more difficult for some individuals to see codes.
- More prone to "invalid code" errors; hardware tokens run on their own built-in timing devices to generate codes that may fall out of synchronization with OC’s MFA servers. If this occurs, you will need to contact the IT Service Desk for a reset.
- MFA code is displayed on the token and no authorization is needed to access the code
- If lost or stolen, a hardware token has no further protections in place to prevent unauthorized access to your MFA codes.
- You would need to immediately report a lost/stolen hardware token to the IT Service Desk to request its deactivation.