Security breaches due to compromised credentials have unfortunately become a regular occurrence. With an increasing number of passwords to remember, people are prone to re-use the same passwords for many accounts or to use passwords with easy-to-use and easy-to-access information (date of birth, names of family members or pets, etc.). When other non-University services (social networks, websites, etc.) have breaches, these in turn can lead to your credentials being compromised and used to access confidential or restricted University information.
Multi-Factor Authentication (MFA) is an additional service in the authentication process. It validates the identity of the user accessing online systems and applications. MFA works on these principles: what the user knows (their password), what the user has (their smartphone or a physical device that generates one-time passwords), what the user is (e.g., their fingerprint or iris).
MFA is very easy and convenient as you are using your smartphone, which most of us carry it everywhere. And you don’t need to have your work email on your phone since MFA only uses it to get your approval via the app. Your data plan will also not be affected by any text messages or data transferred.
Step 3: Enrol into MFA with the mobile app
To complete this step, you will need your desktop/laptop and your mobile device.
Important note before you start
You must use the scanner in the Microsoft Authenticator application to scan the QR code (step 4). Using your camera or other applications will result in a migration error.
MFA Self-enrolment steps
- On your desktop/laptop, open a new window or browser and visit https://aka.ms/mfasetup. Enter your uoAccess credentials and click Login.
- On the More information required screen click Next.
- The Additional security verification screen will appear. For the subsequent questions, select the following options:
- How should we contact you? In the drop-down menu select Mobile App.
- How do you want to use the mobile app? Click the Receive notifications for verification option.
- Click Set up.
- The Configure mobile app screen will appear. Complete the following steps:
- Ensure the Microsoft Authenticator is installed on your Windows Phone, Android or iOS.
- Open Microsoft Authenticator on your mobile device.
- Tap Add account (or the + button). Select Work or school account.
- Scan the QR code displayed on your browser with your mobile device camera. If you do not want to use the camera on your device, enter the numerical code and follow the link provided on the screen.
- Click Next.
- The Additional security verification screen will appear. Microsoft will check the activation status. Once verified, the message Mobile App has been configured for notifications and verification codes will appear. Click Next.
- The Additional security verification screen will appear. Under Let’s make sure we can reach you on your Mobile App Device, follow the prompt, Please respond to the notification on your device. On your Mobile App click Approve.
- The profile on your smartphone will display your account.
- University of Ottawa (This is your MFA account)
8. These are your preferred MFA settings. No further action is required. The process is complete.
Step 3: Enrol into MFA with a hardware token: alternative
If you don't have a compatible smartphone or tablet, you can purchase a physical token from our Kivuto provider.
This token can be picked up on campus (by appointment), shipped in canada or internationally.
Once you enrol, you will be required to authenticate using MFA when connecting to all MFA-enabled systems (e.g.: BrightSpace, uoCampus, Microsoft 365), MFA will be activated within 24 hours.
- On the login page, enter your uoAccess username and password. Your uoAccess ID is the short name before your @uOttawa.ca email address (e.g., jsmit000).
- Click on Login.
- Follow the instructions.
Recommended: Enroll a secondary device into MFA
You can add up to 3 devices (smartphones or tablets) to your account.
- On your desktop/laptop, visit the MFA portal.
- Enter your uoAccess credentials and click Login.
- You will receive a push notification on your phone. Tap on it and select Approve to complete your login in the MFA portal.
- Select Activate Mobile App on the left menu.
- On your secondary device, open the Microsoft Authenticator App, tap Add Account or the + button, and scan the QR code with your device camera that appears in the MFA portal.
Note: If you use multiple devices to MFA, all your devices will receive a push notification when a login approval is required. The first device to approve the authentication will authorize the log in.
Step 4: Authentication on a mobile device
- When accessing a uOttawa MFA-enabled system a Microsoft prompt will appear, enter your @uOttawa email address.
- On the uOttawa login screen, enter your uoAccess credentials.
- On your internet browser, you will see a MFA sign-in request for your account loading. On your MFA-enableddevice, You will receive a sign-in verification request notification. In the Authenticator mobile App click Approve.
Step 4: Authentication with a hardware token
- When accessing a uOttawa MFA-enabled system a Microsoft prompt will appear, enter your @uOttawa email address.
- On the uOttawa login screen, enter your uAccess credentials.
- You will be prompted to input a token number. Enter the six digits displayed on your hardware token. Click Verify.
- Microsoft Authenticator app is not compatible with the mobile device error message: Use the hardware token.
- No push notification is sent via the mobile app: Make sure push notifications are enabled on the mobile device. Close the mobile app and try again.
- The token-generated six-digit code does not work: The code is valid for 30 seconds only. Wait for a new code to be generated and login again. If after several attempts with different codes the authentication is not successful, remove the device and re-add it on the MFA portal.
- Error received in mobile app when adding a secondary device. You cannot add a secondary device directly from the mobile app. To do so, go to the MFA portal and follow the steps to add a secondary device.
- MFA issues when signing into Office 365 on mobile devices
iOS 11 or higher is required for iPhone devices so that email works with Mail or Outlook. If the system keeps prompting for a password, delete the account from Passwords & Accounts and reconfigure it using the automatic setup (Sign In) function instead of the Manually Configure option. The ADFS window for MFA will now appear when signing in.
Android users will need to use Outlook and the setup is straight forward. The system prompts only for email and password information.
MFA Opt-In FAQ
If I do not access VPN, do I need MFA?
If you do not connect to VPN, this change does not apply to you. However, the academic/research community will be required to use MFA without exception starting in the fall, so we recommend you enrol today to provide your accounts and resources with added security now.
This change applies to you if you connect to the University’s VPN service.
Will the University provide a mobile device to authenticate via MFA?
The University will not provide you with a mobile device (phone) to use for MFA. However, if you do not have any mobile device, an alternative is available (see next question).
If I do not have a mobile phone capable of MFA, what are my options?
If you don’t own a compatible device for MFA you may request a physical token by submitting a Service Desk request. A physical token is a small device that generates and displays a passcode for users to authenticate on MFA. When you submit a request for a token, it will be configured for you and you will be contacted to arrange procurement. Tokens can be either picked up at 110 Séraphin-Marion on the uOttawa campus at a scheduled time or shipped Canada-wide (shipping times subject to courier).
Does MFA affect retired staff?
No, retired staff cannot access VPN and therefore are not required to enrol in MFA.
If I have no cellular or Internet connection, will I be able to access uOttawa resources via MFA?
Yes, on the Microsoft Authenticator mobile app, a 6-digit code can be generated without a cellular or internet connection. If you do not have Wi-Fi or cellular access, you can open the app, tap on “University of Ottawa” and enter the code the authenticate.
When authenticating on MFA to login on VPN, you will need to wait 60 seconds before you are prompted to enter a code.
Does MFA only affect VPN or does it also affect web applications (e.g. BrightSpace, uoCampus, Teams/Email, etc.?)
Once you enrol, you will be required to authenticate using MFA the next time you login to VPN. For all MFA-enabled web applications (e.g.: BrightSpace, uoCampus, Microsoft 365), MFA will be activated within 24 hours.
Does MFA work on Linux?
Yes. MFA uses the Microsoft Authenticator mobile app on your iOS or Android device or a physical token to authenticate. You can proceed to use VPN or login to web applications with MFA without issue on Linux.
How do I know if I’m already enrolled for MFA?
To confirm you’re enrolled, please visit the MFA Portal. If you are not enrolled, the system will ask you to enrol your mobile device.
Is there a difference between authenticating through a notification versus a verification code?
No, there is no difference. The option is based on your preference. A notification will appear on your mobile device in real-time when you are required to authenticate on MFA. If you use a verification code, you will have to open the mobile app and enter the code from the app every time you login to VPN or an MFA-enabled system. Based on the feedback we have received, using notification mechanism is the fastest and most convenient way to use MFA.
Can I use other methods for MFA (e.g. MFA via email, SMS, etc.)?
No, for security reasons true MFA (also called 2-factor authentication) requires a minimum of two of the following:
- Something you know (e.g.: your password)
- Something you have (e.g.: your mobile app or token)
- Something you are (e.g.: fingerprint, face, eye, or another biometric scan)
Other means like email or even phone/SMS are inherently insecure and not sufficient for MFA.
Does the University capture information about my mobile phone or track me?
No. Your privacy is of the utmost importance to us. The mobile app does not track your location, nor does it provide the University with any personal information about you or your device.
What if I lose / break / do not have access to or change my mobile device, will I still be able to access University systems?
We strongly recommend enrolling more than one device if you can. The MFA portal allows up to five devices to be enrolled. This ensures you always have a backup. If you encounter issues, please open a Service Desk request.
If I only use a desktop computer and not a mobile device, is MFA still required?
In order to access VPN from any device, including a desktop or laptop computer, MFA will be required. If you never connect to VPN, you do not require MFA at this time.
However, MFA will become mandatory for access to other MFA-enabled systems (e.g.: BrightSpace, uoCampus, Microsoft 365) in the fall of 2020 for academic/research community, so we recommend you enrol today to provide your accounts and resources with added security now!
Can I install Microsoft Authenticator app on my desktop or laptop?
No, the Authenticator app can only be installed on iOS and Android mobile devices (phones and/or tablets).
You are working off-campus and need to use the VPN client. Open your laptop, click on Connect in the Cisco AnyConnect VPN login box, and enter your account and password. A new step gets introduced: a yellow warning symbol appears in the VPN client and a notification is sent to your phone asking you to verify your identity. Click Approve and you will see the usual Welcome to the University of Ottawa pop-up message. You can then proceed with your normal activities.