Multi-Factor Authentication - Sponsored Accounts

Summary

This article is designed to provide you with a guide to enrol a sponsored account into MFA.

Body

OVERVIEW

This article is designed to provide you with a guide to enrol a sponsored account into MFA. For more information about the service, please visit the full website for MFA or see our collection of FAQs.

SPONSORED ACCOUNT REQUIRED TO ENROLL IN MULTI-FACTOR AUTHENTICATION

All sponsored accounts are required to enroll in MFA by March 31, 2022. We recommend enrolling early to maintain your access to SFU online services. The method in which your sponsored account is enrolled in MFA depends on how the account is used. Please choose from one of the two options below.

 

1. I am the only person using this account

This sponsored account is used by one individual (or personal sponsored account), where the password and access to the account would never be shared with or transferred to others.

Some examples include sponsored accounts assigned to temporary staff or contractors. Usually, the name and Computing ID of personal sponsored accounts are created based on the first name and last name of the individual (for example, “Rudyard Kipling”, kipling@sfu.ca).

If you are the only person using the account, you may enroll it in MFA now. See "How to Enroll into MFA" for details.

How to enroll into MFA?
Personal sponsored accounts can be self-enrolled in MFA just like a faculty/staff account. Visit Set Up MFA to get started.

 

2. Multiple people use this account

This sponsored account is shared between multiple users (or role/departmental sponsored account), where it is possible that the password or access to the account is shared with other individuals.

Some examples include departmental roles, clubs/associations, and test accounts. Usually, the name and/or Computing ID are created based on the role or title and not an individual (for example, “IT Services”, itsinfo@sfu.ca).

If this account is shared between multiple people, you need to transition to using delegate logins. This allows multiple people to log into a sponsored account using their own SFU account credentials. See "How to Enroll into MFA" for details.

How to enroll into MFA?

If you are the account sponsor of the sponsored account, you will need to complete the following steps:

  1. Enable delegate access on your sponsored account using the Delegate Account Management.
  2. Add delegates or managers to the sponsored account.
  3. Inform your users of the sponsored account to use delegate login to access the sponsored account.
  4. IT Services will enroll your sponsored account in MFA on your behalf. The sponsored account's MFA codes aren't required when using delegate login.

If you are a current user of the sponsored account, you will need to take the following steps:

  1. Inform the account sponsor to take the actions listed above.
  2. Provide your computing ID to the account sponsor to add you as a delegate to the sponsored account. You will receive an email once you're added.
  3. Log into the sponsored account using delegate login with your SFU account when you wish to access the sponsored account for your day-to-day tasks.

Note: If you don't know the account sponsor of your sponsored account, see the sponsored account FAQ below.

 

Enrolling Unique cases of Role/Departmental Sponsored Account

We are aware that sponsored accounts are used to meet a variety of business needs. Here are some examples of unique cases of using role/departmental sponsored accounts and how to implement MFA to your workflows:

What should I do if my sponsored account is used by non-SFU user (i.e., vendors, contractors, or non-SFU volunteers)?

If the account is given to a single user outside of SFU:

  1. The account can be treated as a personal sponsored account and can be self-enrolled in MFA. The primary user should visit Set Up MFA to get started.

If the account is shared to multiple users outside of SFU, every non-SFU user accessing SFU services should have their own sponsored account. The account sponsor will need to take the following steps:

  1. Request additional sponsored accounts for every non-SFU user. Visit Sponsored Computing ID for details on requesting sponsored accounts.
  2. After every non-SFU user has their own sponsored account, inform the users that they can self-enrolled their sponsored accounts in MFA. The primary user should visit Set Up MFA to get started on their sponsored accounts.
  3. (Optional) If the shared sponsored account is used for centralizing data or file ownership, the sponsor may enable delegate access on this account using the Delegate Account Management and add the non-SFU users as delegates with their new sponsored accounts.

If the account is shared to multiple users mixed with both SFU users and non-SFU users, every non-SFU user accessing SFU services should have their own sponsored account. The account sponsor will need to take the following steps:

  1. Request additional sponsored accounts for every non-SFU user. Visit Sponsored Computing ID for details on requesting sponsored accounts.
  2. After every non-SFU user has their own sponsored account, inform the users that they can self-enrolled their sponsored accounts in MFA. The primary user should visit Set Up MFA to get started on their sponsored accounts.
  3. (Optional) If the shared sponsored account is used for centralizing data or file ownership, the sponsor may enable delegate access on this account using the Delegate Account Management and add the non-SFU users as delegates with their new sponsored accounts.
What should I do if my sponsored account is used by short-term users (i.e., visitors, guests, or short-term faculty)?

As part of SFU’s ongoing effort to improve the security of all online services, you may need to change your business workflows. Please take a look below if any of the following apply:

If your sponsored account is used to provide Wi-Fi access:

  • SFU's wireless network provides a guest Wi-Fi network that does not require an SFU account. We encourage you to phase out the use of a shared sponsored account to provide Wi-Fi services to your visitors or guests.
  • Alternatively, those who are members of higher ed or research communities may be able to access the eduroam Wi-Fi network.

If your sponsored account is used to provide library resources:

  • Guidelines and policies outlined by SFU Library services must be followed. Members of the general public may access most of the Library’s online resources using SFU Library computers labs and open access resources can be accessed off-campus. A small number of databases are further restricted to current SFU students, faculty and staff only. We encourage you to phase out the use of a shared sponsored account to provide unrestricted library services to your visitors or guests.
  • For more information, visit guest access, guest logins or public computer policy at SFU Library.

If your sponsored account uses other SFU services (i.e., Zoom, Canvas, etc.), you may need a continue using sponsored accounts:

  • Every non-SFU user accessing SFU services should have their own sponsored account. You may need to request additional sponsored accounts for every non-SFU user. Visit Sponsored Computing ID for details on requesting sponsored accounts.
  • Additionally, we recommend enrolling these sponsored accounts into MFA with a hardware token to facilitate a 'physical transfer' of MFA for onboarding/offboarding short-term users. Hardware tokens for sponsored accounts can be purchased at this SFU Bookstore product page.
What should I do if my sponsored account is a service account where no one logs into the account?

As long as your service account does not require CAS authentication to your services, you don't need to take action. IT Services will enroll the sponsored account in MFA on your behalf if you choose not to enroll in MFA. Enrolling the service account into MFA does not impact existing logins and the usual login methods outside of CAS.

You can access the service account using delegate login on web-based CAS-protected services without needing the service account's MFA codes once IT Services enrolls on your behalf.

What should I do if my sponsored account is a lightweight account?
All lightweight accounts will need to be enrolled into MFA in the near future.

 

Transferring sponsored account ownership after enrolling in MFA

Role/departmental sponsored accounts typically involve transferring ownership for business continuity. Here are some examples depending on how the sponsored account is enrolled or used:

What should I do if my role/departmental sponsored account has delegated access?

As the account sponsor, I'll be transferring ownership of the account myself:

As the account sponsor, I'll be leaving it up to the primary users to transfer ownership themselves:

Note: If you are onboarding non-SFU users, you will need to provide every non-SFU user with their own sponsored account. Visit Sponsored Computing ID for details on requesting sponsored accounts.

What should I do if my role/departmental sponsored account is given to non-SFU users?

If the sponsored account is enrolled with a mobile device:

  • When the user is offboarding, the account sponsor will need to reset the account password, then contact the IT Service Desk to reset the MFA registration to expire previous mobile registrations.
  • When a new user is onboarding on the account, ask the new user to immediately prepare to enroll into MFA at their first login.

If the sponsored account is enrolled with a hardware token:

  • When the user is offboarding, the account sponsor will need to reset the account password, then ask the user to return the hardware token (if the token is purchased by the sponsor or department). If the hardware token is not returned (or is purchased by the user), contact the IT Service Desk to reset the MFA registration to expire previous hardware token registrations.
  • When a new user is onboarding on the account, the account sponsor should provide them with a hardware token or ask the new user to immediately prepare to enroll into MFA at their first login if the MFA registration was reset.

Note: The process outlined here should only be used when transferring the use of a sponsored account to another individual without an SFU Computing ID and who cannot use delegated login.

Every time the account is transferred, the account sponsor must reset the account password and MFA registration to revoke any previous access. There can only be one user for each sponsored account at a time.

 

Sponsored Account FAQ

Does MFA affect Outlook Desktop, Thunderbird, or other email clients?

Enabling delegate access or enrolling in MFA with the sponsored account does not impact existing logins and the usual login methods to email clients. At this time, email client connections use SFTP and not through SFU CAS.

Please note that this is expected to change once SFU Mail migrates to Exchange Online in the near future, allowing connections to SFU Mail using email client to go through SFU CAS. For details, visit our SFU Microsoft 365 Road Map.

I don't know the sponsor of my sponsored account. How do I find out?

You can use the Sponsor Lookup App to find who is the sponsor of your sponsored account. Once you're logged in, enter the sponsored account computing ID you wish to lookup the sponsor.

Note: To access the app, you must be logged into a staff, faculty or sponsored account, and be connected to campus networks (or SFU VPN).

How do I obtain a hardware token for my sponsored account?
For sponsored accounts that are unable to or cannot use a mobile device for MFA, or prefer a hardware token to facilitate a 'physical transfer' of MFA for onboarding/offboarding processes, hardware tokens are available for purchase via the SFU Bookstore either in-store or online.

 

Details

Details

Article ID: 3994
Created
Sat 7/9/22 6:36 PM
Modified
Tue 7/12/22 5:37 PM

Related Services / Offerings

Related Services / Offerings (1)

SFU’s Multi-Factor Authentication (MFA) refers to using two or more independent items to verify your identity, typically something you know (i.e., your SFU computing ID and password) and something you have (i.e., a time-based code).