MFA FAQ

Summary

Frequently asked questions about Multi-Factor Authentication.

Body

OVERVIEW

This article contains frequently asked questions about Multi-Factor Authentication. 

 

DETAILS

GENERAL FAQ

Who needs to set up MFA?

MFA enrollment is required for all faculty, staff and students.

  • All faculty and staff at SFU are required to enroll in MFA. If you are a new employee (including TAs and RAs), enroll in MFA as soon as possible to maintain your access to SFU online services.
  • All new students are required to enroll in MFA by the third week of your first term. We recommend you visit the student guide and enroll early to maintain your access to SFU online services.
  • Existing students (pre-2022) will be required to enroll in MFA at a future date. We recommend you visit the student guide and enroll early to maintain your access to SFU online services.
  • All sponsored accounts are required to enroll in MFA within three weeks after account activation. Accounts enrolled in Delegated Account Management (DAM) will be MFA-locked upon enrollment in DAM. We recommend enrolling early to maintain your access to SFU online services. Sponsored account users should visit the sponsored account MFA page for details.
I have a sponsored account. What do I need to do to enroll in MFA?

We are aware that sponsored accounts are currently used to meet a variety of business needs.

To help you determine next steps for your sponsored account, please refer to sponsored account MFA page for detailed instructions on enrolling in MFA.

I don’t have, or I am unable to use a mobile device for MFA. What can I use instead?

If you do not have a mobile device or do not wish to use one for MFA, using a hardware token would be an alternative. A hardware token is a small device that displays the 6-digit code for logging into MFA. Please visit the Set up MFA page for more information.

Note: Hardware tokens should not be used for backup purposes. There are dedicated emergency login codes that serves as a backup if your mobile device is left at home, lost, or runs out of battery.

Which SFU applications are protected by MFA?

Currently, MFA at SFU is implemented for web applications that use SFU's Central Authentication Service (CAS) for authentication. You will be prompted for your MFA code when you sign into most web applications and/or services at SFU, including:

CAS-PROTECTED WEB APPLICATIONS

OTHER SERVICES (NON-BROWSER)

Note: Future services at SFU will require you to be enrolled in MFA. More details will be announced with the new services.

HOW WILL MFA CHANGE THE WAY I SIGN INTO SFU SYSTEMS?

With MFA, you will start by signing into SFU applications with your SFU Computing ID and password as you currently do. Next, you will be asked to type in the 6-digit MFA code (changes every 30 seconds) that you see on your MFA device (e.g., mobile device/hardware token).

  • There is also the option of “remembering” your MFA sign-in for 7 days.
  • Note: Remember to keep your MFA device nearby to sign in using the 6-digit MFA codes. You should only use your 8-digit emergency login codes as the last resort.
Can I enroll both a hardware token and mobile device?
No. Currently, our system does not support multiple MFA devices.
Will my MFA experience differ when I am travelling?
Your MFA experience should not differ in any way when you are travelling. You will continue to be prompted every day, or every 7 days, depending on whether you have set MFA to remember you.

 

Using MFA FAQ

What are the differences between MFA codes and Emergency Login Codes?

There are 2 types of codes you would encounter when using MFA:

MFA code
  • A 6-digit code that refreshes every 30 seconds on your mobile device or hardware token.
  • MFA codes are used for daily logins.
Emergency Login Codes
  • A set of 8-digit codes that are generated during your MFA setup and can be located in the SFU MFA Management App.
  • Emergency logins codes are only used when you do not have access to your usual MFA codes (e.g., forgot/lost/broke your mobile device or hardware token).
How do I start using my MFA login? How do I retireve my MFA login codes?

To log in with MFA, you’ll enter your username and password as you currently do, and then type in the 6-digit MFA code (changes every 30 seconds) that you see on your MFA device (e.g., mobile device/hardware token).

  • There is also the option of “remembering” your MFA sign-in for 7 days.
  • Note: Remember to keep your MFA device nearby to sign in using the 6-digit MFA codes. You should only use your 8-digit emergency login codes as the last resort.
How often will I be prompted for MFA?

By default, you will be prompted for your MFA code every time you log into a CAS-protected SFU web application.

If you do not want to be prompted for MFA every time you log in, you may select the “Remember me on this browser for 7 days” checkbox just below the MFA code field.

  • Upon successful sign-in, you will not be prompted for a MFA code for seven days on those browsers and devices/computers where you authenticated to “remember” your MFA sign-in.  
  • This functionality allows each authenticated device/browser combination to maintain and "remember" your MFA authorization for 7 days. 

Please note that you will be prompted for MFA if you perform any of the following actions:

  • Log in using a different browser and device than the ones you previously authenticated to “remember” your MFA sign-in,
  • Clear your browsing history and/or cookies,
  • Enable the browser to "clear cookies and site data when you close all windows", 
  • Log in under “incognito mode” or “private mode” on your browser, or
  • Log in using the same device and browser after seven days since your last MFA sign-in.

Note: To view and/or remove the browsers you’ve allowed to “remember” your MFA login, please visit the SFU MFA Management App.

What does the “Remember me on this browser for 7 days” checkbox do?

If you do not want to be prompted for MFA every time you log in to a web application, you may check this checkbox to have your browser remembered for 7 days. To view and/or remove the trusted browsers you authenticated to "remember me for 7 days", please visit SFU MFA Management App

Please note that you will be prompted for MFA if you perform any of the following actions:

  • Log in using a different browser and device than the ones you previously authenticated to “remember” your MFA sign-in,
  • Clear your browsing history and/or cookies,
  • Enable the browser to "clear cookies and site data when you close all windows", 
  • Log in under “incognito mode” or “private mode” on your browser, or
  • Log in using the same device and browser after seven days since your last MFA sign-in.
Why was "7 days" chosen as the time period for the browser to remember me?

"7 days" was chosen as the time period to remember a browser authentication because it's an option that balances between security and convenience.

The most secure option would be to authenticate every login, which is the default settings if the "Remember me on this browser for 7 days" checkbox is not selected. The more convenient option would be to authenticate every 30 days, where some institutions have chosen this option. However, this option would bring convenience at the cost of security.

This time period is also frequent enough so that it could be easily incorporated into a regular routine (e.g., Tuesday is my MFA day).

Why does my 6-digit MFA code change every 30 seconds?
TOTP (Time-Based One-time Passcode) protocol for multi-factor authentication requires a time-based (30 second) code that the user must enter. It changes every 30 seconds to maximize security.
How do I securely store my emergency login codes?

Keep your emergency login codes safe by following these important tips:

  • Store your emergency login codes in a safe, accessible place nearby you, such as your wallet.
  • Do not store your emergency login codes on CAS-protected services such as your SFU Mail account, as you won't be able to access them if you don't have your phone or hardware token.
  • Never share your emergency login codes with anyone.
  • You can generate new emergency login codes at any time by going to the SFU MFA Management App.
What if my mobile device/hardware token is left at home, is lost, or runs out of battery?

In the case where you don't have your phone or hardware token with you, you can use one of your emergency login codes for access to your SFU account. 

  • Where to locate your emergency login codes: When you first set up multi-factor authentication, you will be given a list of one-time emergency login codes. Ensure to print/write them down and store them in a safe, accessible place, such as your wallet.
  • If you have already gone through the MFA setup process and missed the opportunity to print/write down the list of emergency login codes for safekeeping, be sure to sign into the SFU MFA Management App to retrieve or generate new emergency login codes before you come across a scenario of not having your mobile device/hardware token with you.

 

MOBILE DEVICE FAQ

Do I need to have cellular service or data coverage to use the MFA Applications?

No. Aside from the initial app download, TOTP MFA applications do not require any internet connection, cell service, or data coverage to display the MFA codes.

Note: TOTP (Time-based One-time Password) protocol for multi-factor authentication requires a time-based (30 second) code that the user must enter. It changes every 30 seconds to maximize security.

Will my personal information be collected through MFA and/or the MFA app?

No. SFU’s MFA service is built and hosted at SFU and does not collect personal information. In addition, the recommended mobile app, LastPass Authenticator, does not collect personal information.

How it works: When you scan the QR code with your mobile app as part of the initial MFA setup, the app is obtaining a secret key from SFU’s MFA servers from which your MFA login codes will be generated. 

  • From that point onward, there is no MFA-related communication made from your mobile app. Your mobile app only relies on your mobile device’s time and the secret key for the MFA login code generation every 30 seconds. 
  • This is also why the app does not require cellular service nor an internet connection to function.

Note: SFU recommends LastPass Authenticator because of the benefits it provides to users, but we are not affiliated with LastPass Authenticator or any third-party MFA applications. You are free to choose any of the MFA mobile apps that support the TOTP protocol.

Why is LastPass Authenticator recommended?

We recommend LastPass Authenticator because:

  1. It's free to use,
  2. It does not collect personal information (only requests file permissions for storing your MFA locally, and camera permissions for scanning QR code),
  3. It does not require an internet connection to function (aside from the initial app download), and
  4. It's reputable and well-known MFA mobile app.

Note: SFU recommends LastPass Authenticator because of the user benefits described above, but we are not affiliated with LastPass Authenticator or any third-party MFA applications. You are free to choose any of the MFA mobile apps that support the TOTP protocol.

I already have an app that does MFA, can I use that?

Applications that support the TOTP protocol will work for MFA at SFU. If you already have a MFA application that you are using for other services, you may continue to use that application for MFA at SFU as well.

Note: SFU recommends LastPass Authenticator because of the benefits it provides to users, but we are not affiliated with LastPass Authenticator or any third-party MFA applications. You are free to choose any of the MFA mobile apps that support the TOTP protocol.

*TOTP (Time-based One-time Password) protocol for multi-factor authentication requires a time-based (30 second) code that the user must enter. It changes every 30 seconds to maximize security.

Can use a tablet or other mobile device that is not a smartphone for MFA?

Any "smart device", such as iPad or Android tablet, can be used to run an MFA application.

Note: MFA applications do not require any cell service or data coverage to work, but you will need internet access when you first download the application onto your device.

I've recently acquired a new mobile device. What do I need to do?
To change the mobile device you use for MFA, please follow the instructions outlined on the Change MFA device page.

 

HARDWARE TOKEN FAQ

how do I obtain a hardware token?

Please select one of the two options below:

  • For students, alumni, retirees and sponsored accounts who are unable to or cannot use a mobile device for MFA, hardware tokens are available for purchase at the SFU Bookstore either in-store or online.
  • For staff and faculty accounts, please visit Request a Hardware Token.
Can hardware tokens be mailed outside of Canada?
Yes, hardware tokens are sent via Canada Post Lettermail™. Please note that due to COVID-19 restrictions, there may be additional delays to international shipping.
Can I have someone else to pickup the hardware token on my behalf?

If you are purchasing a hardware token from the SFU Bookstore, yes. Hardware tokens are tied to a specific user upon purchase.

If you are a staff or faculty requesting a hardware token, please contact IT Service Desk if token pickups are available when submitting a request.

Can I get a new hardware token if I lose mine?

To replace a lost hardware token, see the two options below:

  • For students, alumni, retirees and sponsored accounts, a new hardware tokens will need to be purchase at the SFU Bookstore either in-store or online.
  • For staff and faculty accounts, please visit Request a Hardware Token.

Note: If you have lost your hardware token, use your MFA emergency codes to log into your account while obtaining a replacement hardware token or switch to mobile.

Can I use my personal hardware token (OTP token device) instead of requesting one?
No, since the hardware tokens are pre-programmed to your SFU account before giving it to you, using your own or personal hardware tokens will not be compatible with our systems.
How long will the battery last on my token?
The battery life of hardware tokens are expected to last at least around 4 to 5 years.

 

TROUBLESHOOTING FAQ

Why is my browser not remembering my MFA login for 7 days?

By checking off the "Remember me on this browser for 7 days" checkbox at the login page, you can set your browser on a specific device to remember your MFA login for 7 days. 

The following are some common reasons as to why a browser may fail to remember your MFA login for 7 days:

  • Clear your browsing history and/or cookies,
  • Enable the browser to "clear cookies and site data when you close all windows", 
  • Log in under “incognito mode” or “private mode” on your browser,
  • Log in using a different browser and device than the ones you previously authenticated to “remember” your MFA sign-in, or
  • Log in using the same device and browser after seven days since your last MFA sign-in.

To view and/or remove the trusted browsers you authenticated to "remember me for 7 days", please visit SFU MFA Management App.

If your browser still doesn't remember your MFA login for 7 days, your browser may have outdated MFA cookies. Follow these steps to remove existing MFA cookies:

  1. Visit the SFU MFA Management App and select "Trusted Browsers" tab,
  2. Remove all your trusted browsers by clicking on the Trash Bin,
  3. Clear your browsing history and/or cookies.

 

Details

Details

Article ID: 3985
Created
Fri 7/8/22 6:36 PM
Modified
Tue 8/27/24 4:12 PM

Related Services / Offerings

Related Services / Offerings (1)

SFU’s Multi-Factor Authentication (MFA) refers to using two or more independent items to verify your identity, typically something you know (i.e., your SFU computing ID and password) and something you have (i.e., a time-based code).