#AskOIT: Secure Your Account With MFA

Jul. 2, 2021

We understand technology can be intimidating.

There's always something new like a gadget, app or tool to learn, and we recognize that it can be hard to keep up with. So we're here to help make technology less intimidating. Each month we'll answer any questions you've got about tech. You can send us your questions, and we (Yasmeen Yahya and Jesse Plaza) will do our best to help you out.

This month, our column is all about multi-factor authentication (MFA), which will be required for all faculty (excluding adjunct faculty) starting August 16. Incoming students will also be required to have MFA set up by September 8. Those who do not have MFA set up by their respective deadline will not be able to access St. Edward's software and systems.

So, here's what you need to know about MFA.

What is MFA?

Likely, you know MFA stands for multi-factor authentication, but you're not sure exactly what it is. Well, to help explain it, we'll go with a bank metaphor.

You log into your bank account with just your password, which is super handy and convenient. A password is like a key that you don't have to physically have. But would you give your key out to anybody? Would you put your key anywhere where someone could get it, like a notepad or unprotected document?

Unfortunately, passwords aren't as secure as they used to be. Or, rather, in today's modern world, they're just too easy to misplace and reuse, which could mean that it's just as easy to get leaked somewhere.

So, with MFA, in addition to something you know, like your password, you'll also sign in with a second factor. This could be something you are or something you have, like a code that's texted to your phone and only lasts for a certain number of seconds or minutes, a USB stick that you plug in, or a phone call, for example. This way, if your password gets leaked for some reason, you'll still be secure. This is because even if your password is compromised, the hacker won't have your second factor (because they won't have access to your verification app, text messages, USB stick, etc.), so they won't be able to get into your account. So when you set up MFA, your account is way harder to take over and attack. Basically, we're rolling out MFA because it's the gold standard for security.

For more information about MFA, including frequently asked questions and a comparison guide of the MFA factors (answering the question, ‘which authentication factors should I choose?’), visit our knowledge base.

Beware of reusing passwords.

Let's go back to the key metaphor. If you have a key that works in multiple locks, that makes things easy for you because you can easily access many more doors. Similarly, if you use the same password on multiple websites, they're easier for you to access. Though, that means it's easier for others to access too. All a hacker needs is one copy of your "key" to unlock the doors to your data.

You can't trust internet security these days — you have to take it into your own hands. So if something that you use gets taken over and your password gets leaked, you'd better hope that password is only good for that one account. Otherwise, people who want to log into your stuff or rob you will start trying that username and password on a bunch of different services.

So, how do you set up MFA?

This one is easy. Just go to your account page, the same place you would go to change your password. Sign in, hit that button to edit your profile as if you're going to change your password, then go to the button at the bottom called "Extra Verification." This section will have all these different methods you can choose from to set up MFA. You can find more detailed instructions on setting up MFA by visiting bit.ly/SEU-MFA.

You don't have to set up all of the extra verification factors.

However, we recommend setting up more than one, so you are not reliant on a single device. For example, let's say you lose your phone or something happens where you can’t access it. If you set up authentication factors that aren’t tied to it, like a USB stick (authentication key) or biometric authenticator, you can still log in.

What do I do if I get locked out of my account?

Just like requesting a password reset, if you don't have access to any of your factors, our Support team at support.stedwards.edu can help reset your factors for you and get you back into your account.

If you end up getting locked out of one of your authentication apps but have other factors set up, just go into your account to remove the authentication app and re-add it. You will need to use your other authentication method to log in. Though, this is an excellent example of why it's good to have a backup factor!

Final Notes on MFA

MFA is honestly a lot easier to manage than it sounds. You're not going to get prompted for MFA every time you log in. Instead, it's going to try to remember the last couple of devices, browsers and locations you've logged in from. Essentially, our identity management system (what prompts your for MFA) will learn your habits so you won’t have to verify it’s you every time you log into something from your usual work location.

Though, if you ever get a random message saying you logged in on a new device at three in the morning, and you know you haven't signed into anything in a while, contact OIT Support by going to support.stedwards.edu. You can chat with us, send an email or use our contact form. Whatever method of contact you choose, one of our agents will help you secure your account.

Lastly, remember that cybersecurity is not just a hypothetical. We are seeing an increasing amount of these sorts of attacks and phishing scams. Though, by protecting your account, you stop these attacks from spreading to other people. In other words, the more secure your account is, the safer we all are as a community.

If you have more questions about MFA, visit the OIT Support Center to find knowledge base articles on the subject. Still have questions? Contact us.