About Employee Multi-Factor Authentication

Multi-factor authentication (MFA) is required to access BCIT apps and services. This article answers common questions about employee MFA at BCIT and provides setup guidance for both mobile devices (personal or BCIT-issued) and hardware tokens.

BCIT introduced MFA for all faculty, staff, and contractors in Fall 2022 using Duo (app or token). Starting July 2025 (with an opt-in period till Sept 15, 2025), we are transitioning to Microsoft’s MFA system—either the Microsoft Authenticator app or a SafeID hardware token—to align with the student platform.

🔹 Employees with System Administrator (SA) accounts used for remote server access will continue to authenticate through Duo MFA for those accounts. Microsoft MFA will apply to their primary BCIT account, while Duo MFA remains in place exclusively for SA account authentication until further notice.

Setting up MFA on your mobile device

This process may take up to 30 minutes. Please set aside uninterrupted time to complete it from start to finish.

Step 1 – Install app on your mobile device

Search for Microsoft Authenticator in your device’s app store (e.g., Apple App Store, Google Play, or equivalent) and install it.

Note: The official Microsoft Authenticator app is free to download. If you’re prompted to pay, double-check that you are selecting the correct app developed by Microsoft.

Once the app is installed, you’re ready to enroll your device by following the instructions in the next section.

Step 2 – Set up app on your mobile device

The setup process is the same as described in the student article. You can either watch the video tutorial or follow the step-by-step guide: Setting up MFA with Microsoft Authenticator (First-Time Enrollment).

Important: Just note that in Step 1, you’ll need to enter your BCIT employee email address (ending in @bcit.ca).

Using a SafeID Hardware Token

Image of Microsoft SafeID hardware token

SafeID tokens are small, handheld devices that display a rotating six-digit code used to sign in with Multi-Factor Authentication. When the button is pressed, the screen displays a passcode that can be used to confirm your login. The internal battery typically lasts 3 to 5 years, depending on usage — and because the tokens are sealed for security and durability, the entire unit must be replaced once the battery is depleted.

Note: We recommend using the Microsoft Authenticator mobile app whenever possible. It offers stronger security, easier sign-ins, and features like number matching and biometric verification. Hardware tokens are more limited, require manual entry, and are easier to lose. The app also makes account recovery and management much simpler.

Current Duo token holders will receive an email when it’s time to pick up their new Microsoft SafeID token. Tokens are already available and can be picked up anytime at the Burnaby ITS Service Desk.

If you work at a satellite campus/school, please contact your local Administration office to arrange your token exchange.

After receiving your new token, follow the steps in the next panel to complete setup.

If you’re both an employee and a student at BCIT, you’ll have two separate accounts — one for work (ending in @bcit.ca) and one for your studies (ending in @my.bcit.ca). Each account requires its own multi-factor authentication (MFA) method.

If you’re using a SafeID token for your employee account, you can either:

Purchase a second SafeID token from the BCIT Bookstore for your student account, and use your student email to follow the setup instructions provided.

or
Use the Microsoft Authenticator app for your student account instead, to avoid carrying two tokens. Follow these instructions for your student account.

Tip: We recommend using the Microsoft Authenticator app whenever possible, as it’s more secure and easier to manage than a hardware token.

Frequently Asked Questions

Multi-factor authentication (MFA) adds an extra layer of security by requiring more than just your BCIT password to sign in. After entering your credentials, you’ll also verify your identity using a second method — typically a mobile app (Microsoft Authenticator) or a hardware token.

MFA helps protect your account from unauthorized access, even if your password is compromised. It’s a key cybersecurity best practice and plays a critical role in keeping BCIT systems and data secure.

BCIT is working to simplify and strengthen its IT systems by leveraging the full benefits of Microsoft 365 (M365). A key part of this effort is improving how we manage secure access through multi-factor authentication (MFA).

To support this, BCIT is transitioning from Duo to Microsoft Authenticator. This change offers several advantages:

Streamlined login experience across Microsoft 365 tools and BCIT systems.
Consistency for all users, as students already use Microsoft Authenticator.
Simplified support and setup with a single MFA platform.
Ongoing security improvements through Microsoft’s regularly updated technologies.

While Duo has served us well, Microsoft Authenticator better supports BCIT’s current systems and future direction. Our goal is to make it easier for you to stay secure with a seamless and familiar login process.

Number matching offers a more secure authentication method compared to Duo MFA by directly addressing the risk of “MFA fatigue” and preventing accidental approvals. In traditional push notification methods, like those used by Duo, users can inadvertently approve a login request simply by tapping “approve” without carefully reviewing the details. Number matching mitigates this risk by requiring users to manually enter a specific number displayed on the login screen into their authenticator app. This ensures that users are actively engaged in the authentication process and are verifying the legitimacy of the request, significantly reducing the likelihood of phishing attacks and unauthorized access. The added step of manual verification makes number matching a stronger defense against modern security threats.

Not very often. Most users can choose the “Remember this device” option, which means you’ll typically only be prompted to complete MFA once or twice a day..

You may be asked to authenticate more frequently if you:

Use multiple devices or browsers.
Open incognito or private windows.
Restart your device often.
Access a wide range of apps throughout the day.

Starting August 25, 2025, employee and student accounts will be separated. This change strengthens access management, ensures each account only connects to its intended systems, and enhances the protection of your data and cybersecurity at BCIT.

If you’ve already set up MFA for your student email account, you’ll need to complete a separate MFA setup for your employee email account — and vice versa.

For more information, please refer to the following articles:

For more information about Microsoft MFA at BCIT

For more general inquiries, managing your MFA methods, or troubleshooting, please refer to the student support articles.:

About Employee Multi-Factor Authentication

Note: Employees with System Administrator (SA) accounts

Setting up MFA on your mobile device

Step 1 – Install app on your mobile device

Step 2 – Set up app on your mobile device

Using a SafeID Hardware Token

How do I switch from a Duo Token to a Microsoft SafeID Token?

Setting up and testing an Employee SafeID Token

How does the token work if I'm both an employee and a student?

Frequently Asked Questions

What is multi-factor authentication and why is it important?

Why are we moving from Duo to Microsoft authentication?

In the Microsoft app, why do I need to enter a number in the MFA prompt?

What systems and applications are affected by MFA?

How often will I need to do MFA?

How will I authenticate if I'm both an employee and student?

For more information about Microsoft MFA at BCIT