About Employee Multi-Factor Authentication

Multi-factor authentication (MFA) adds an extra layer of security by requiring more than just your BCIT password to log in. Before September 28, 2022, BCIT used single-factor authentication—your password alone—to verify identity.

With MFA, you still enter your BCIT email and password, but you must also verify your identity using a second factor, such as a mobile app (Microsoft Authenticator) or a hardware token that generates a passcode. This significantly enhances account security.

Passwords are increasingly vulnerable, and over 90% of breaches involve compromised credentials. MFA reduces this risk by requiring two forms of authentication, making it much harder for unauthorized users to access your account—even if they know your password. Adopting MFA follows cybersecurity best practices and helps protect BCIT systems and data.

BCIT is working to simplify and strengthen its IT systems by leveraging the full benefits of Microsoft 365 (M365). A key part of this effort is improving how we manage secure access through multi-factor authentication (MFA).

To support this, BCIT is transitioning from Duo to Microsoft Authenticator. This change offers several advantages:

• Streamlined login experience across Microsoft 365 tools and BCIT systems.
• Consistency for all users, as students already use Microsoft Authenticator.
• Simplified support and setup with a single MFA platform.
• Ongoing security improvements through Microsoft’s regularly updated technologies.

While Duo has served us well, Microsoft Authenticator better supports BCIT’s current systems and future direction. Our goal is to make it easier for you to stay secure with a seamless and familiar login process.

Number matching offers a more secure authentication method compared to Duo MFA by directly addressing the risk of “MFA fatigue” and preventing accidental approvals. In traditional push notification methods, like those used by Duo, users can inadvertently approve a login request simply by tapping “approve” without carefully reviewing the details. Number matching mitigates this risk by requiring users to manually enter a specific number displayed on the login screen into their authenticator app. This ensures that users are actively engaged in the authentication process and are verifying the legitimacy of the request, significantly reducing the likelihood of phishing attacks and unauthorized access. The added step of manual verification makes number matching a stronger defense against modern security threats.

Multi-factor authentication is required to access all BCIT services and applications. It plays a vital role in protecting BCIT systems and data, helping ensure secure access to the tools and resources you use every day.

Not very often. Most users can choose the “Remember this device” option, which means you’ll typically only be prompted to complete MFA once or twice a day..

You may be asked to authenticate more frequently if you:

• Use multiple devices or browsers.
• Open incognito or private windows.
• Restart your device often.
• Access a wide range of apps throughout the day.

To initiate the MFA transition process please follow these steps:

On your computer:

1. To initiate the MFA transition process please click here: bcit.ca/duomigration
2. When the “Entra ID MFA – Early Enforcement” prompt appears, click Continue.
   
3. In the “Additional questions” screen, skip the Business justification field and click Submit request.
   Note: You’ll be signed out of all M365 services and, later in the process, prompted to sign back in using Microsoft Authenticator.
4. When the screen says “Let’s keep your account secure,” click Next.
   
5. Click Continue. You may be prompted to authenticate with Duo; if so, proceed as usual.
   
6. If you see “Create your passkey in Microsoft Authenticator,” click I want to set up a different method at the bottom. If you don’t see this screen, proceed to Step 8.
7. Select Microsoft Authenticator.
   
8. When prompted with “Start by getting the app,” click Next.
   
9. On the “Set up your account” screen, click Next.
   
10. When the “Scan the QR Code” screen appears, do not click anything. Leave the screen open and continue setup on your mobile device.
    

On your mobile device:

11. Open the Microsoft Authenticator app.
12. Tap Accept to allow Microsoft to collect diagnostic data.
    
13. Choose whether to share usage data, then tap Continue.
    
14. If you see the screen below (only shown the first time you use the app), tap Scan a QR code and skip to Step 17.
    Note: If you don’t see this screen, continue with Step 15 — it may not appear if you’ve opened the app before, even once.
15. Tap the Add account button (or the + icon in the top right).
    
16. Select Work or school account, then tap Scan QR code when prompted.
    
17. When asked to allow camera access, tap Allow.
    
18. Use your phone to scan the QR code displayed on your computer.
    Note: If prompted, you can allow Face ID for your phone’s biometric authentication. This helps secure the Authenticator app.
    
19. When prompted to allow notifications, tap Allow.
    
    
20. Your BCIT account should now appear in the Authenticator app.
    

Back to your computer:

21. Return to the QR code screen and click Next. It may take a few moments to load.
    
22. You’ll see a “Let’s try it out” screen displaying a number.
    
23. On your phone, a notification will appear — enter the number shown on your computer, then confirm using your device’s login method (Face ID, fingerprint, passcode, etc.).
    
24. Once verified, your computer will display a confirmation screen. Click Done.
    

You’re all set! This is a one-time setup. Going forward, when logging into BCIT systems that require MFA, you’ll receive a push notification on your phone.

New employees who have not previously used Duo can either visit bcit.ca/mfasetup to begin the setup process, or they will be prompted to enroll in MFA automatically when signing in to a BCIT service, such as mail.bcit.ca.

The setup process is the same as outlined in the student article. Please follow these steps: Setting up multi-factor authentication on your BCIT account and enrolling your mobile device for the first time

Just note that in Step 1, you’ll need to enter your BCIT employee email address (ending in @bcit.ca).

Current Duo token holders will receive an email when it’s time to pick up their new Microsoft SafeID token. Tokens are already available and can be picked up anytime at the Burnaby ITS Service Desk.

If you work at a satellite campus/school, please contact your local Administration office to arrange your token exchange.

After receiving your new token, follow the steps in the next panel to complete setup.

Once you have your SafeID token, you can register it yourself by following the steps in the student article: Setting up and testing a SafeID token.

Just note that in Step 2, you’ll need to enter your BCIT employee email address (ending in @bcit.ca).

Yes. If you’re an employee and also a student, you’ll need a separate SafeID token for your student account (ending in @my.bcit.ca).

This additional token must be purchased from the BCIT Bookstore. Use your student email to follow the setup instructions provided.

Note: Even if you use a SafeID token for your employee account, you can choose to use the Microsoft Authenticator app for your student account to avoid carrying two tokens. We recommend using the app, as it provides stronger security.