BCIT has implemented multi-factor authentication (MFA) for all faculty, staff, and contractors on the most frequently used BCIT systems in order to improve our information security and prevent potential privacy and security breaches. This also helps us to be in compliance with our cybersecurity insurance requirements. We have implemented a tool, Duo, which requires that you do an additional step, usually only once or twice a day, when authenticating to frequently used BCIT systems and applications.
General questions about MFA and Duo
Multi factor authentication means using more than one “factor” to verify a user’s identity at a login point. Before September 28, 2022, BCIT was using single factor authentication – where that single factor is your usual BCIT password – to confirm that you are who you say you are when you try to login to a BCIT system or tool.
With the recent move to multi factor authentication, you’ll still need to first provide your usual BCIT login credentials (your BCIT email address and password), but we’ve added an additional factor to be checked, usually either access to an enrolled mobile app on your smartphone to confirm your login attempt or your possession of a device (hardware token) that can provide a pass code. The second authentication step is an added layer of security on top of your existing credentials.
Login credentials are valuable and are increasingly easy to compromise. Over 90% of breaches today involve compromised usernames and passwords. A majority of cybersecurity incidents have come from compromised passwords, and MFA is designed to reduce this risk. By requiring two different channels of authentication, your login credentials are protected from remote attacks. MFA prevents anyone but you from accessing your account, even if they know your password. Implementing MFA is in line with best practices and will protect our systems and prevent our data from being compromised.
Duo is the vendor that BCIT is partnering with to provide MFA at BCIT. Duo has extensive experience with implementing MFA at post-secondary institutions, and their solution is flexible and extensible so that we can extend it to more systems over time and as needed. Duo’s MFA solution includes simple and effective mobile apps which will make it easy for most users to simply install the app, enroll their device, and then just use it from then on to quickly confirm their identity when they need to login. We believe that this will make for a relatively simple transition for most users.
MFA was being launched for all faculty, staff, and contractors (not students) on September 28, 2022.
On September 12 (and afterwards, if they didn’t enroll), all affected users received an email inviting them to enrol with Duo in advance of the launch date.
To start with, there are four main systems which will have MFA applied to them. They are:
- id.bcit.ca – This is the standard BCIT login screen that you use when you’re accessing many different applications and systems, including the Loop, myBCIT, the Learning Hub, and others. Login to id.bcit.ca and view the dashboard to see the complete list of applications that you can access via this service and which will therefore be affected by the change.
- Exchange Online and OneDrive Online
Please note: myVPN was removed from the list of affected systems at launch.
Not ordinarily! In most cases you are able to check an option to remember your device for 12 hours. Most users only need to do MFA once or twice per day, depending on how they interact with BCIT systems. Users who utilize multiple devices or browsers, who frequently access a variety of applications, or who commonly use incognito/private browser windows, frequently restart, etc., may need to do MFA a little more often.
If you are using one browser on one computer without restarting during the day, and you use the “remember your device” option, then the theoretical maximum number of times you’d need do MFA would be three:
- once for id.bcit.ca
- once for webmail.bcit.ca or onedrive.bcit.ca (logging into one also logs you into the other)
- once for workspace.bcit.ca
The simplest option, and then one we recommend, is to install the Duo Mobile app on your personal smartphone. With this app, once you’ve gone through the initial setup process once, you can quickly confirm that you are the person attempting to log into your account either in the app or by entering a generated pass code from the app on the login page. Many people are already used to carrying their smartphone with them, so having it available whenever they need to access an affected work system is likely to be the easiest.
If you don’t have a smartphone or you’d simply prefer not to use your personal device, you can request a Duo hardware token (key fob). These devices will need to be carried with you whenever you anticipate needing to access an affected work system. They provide a numerical passcode that you would then enter into the login page to confirm your identity.
If there comes a day when you have forgotten to bring your smartphone or hardware token with you to work, the IT Services Help Desk can provide you with a one-time passcode.
There are a couple of main differences between using the Duo Mobile app on a mobile device and using a hardware token to confirm your login.
It’s important to note that you can actually use the Duo Mobile app in two ways:
- Confirming your logins by displaying push notifications for you to respond to on your device. This option requires a wifi or data connection but uses very minimal amounts of data if you’re not connected to wifi – less than 2kb per notifications (and you can decide to turn off cellular data for the app if you’d still prefer not to use data when not connected to wifi).
- Confirming your logins by providing a generated passcode that you then enter into the login confirmation screen. This option means that the Duo Mobile app is basically functioning as though it were a hardware token. It does not require a wifi or data connection so there is no cost to users for using the Duo Mobile app on their device in this way.
A hardware token is a small device with a single button that only provides you a passcode to enter on the login confirmation screen. It does not require any kind of connection and has a battery that is expected to last for a year at a time.
|Task||Duo Mobile app push notifications||Hardware token||Duo Mobile app passcode generator|
|Logging in to id.bcit.ca, workspace.bcit.ca, and Outlook online or OneDrive online||
Texting is actually a less secure method of multi factor authentication. This is because there’s no way to encrypt text messages during sending and they can potentially be intercepted. The best current advice on online security is to avoid or move away from using text messages for MFA, which is why many systems which offer MFA via text message also offer other more preferred methods usually through their own proprietary mobile apps and are actively encouraging their users to make the change.
Additionally, there would be a significant cost associated with using text messages for MFA at BCIT. It simply doesn’t make sense to spend more money to provide less security.
For users who are unable or unwilling to install the Duo Mobile app on their personal device, BCIT can provide a hardware token (fob key). This device, which generates numeric passcodes when needed to confirm a user’s identity, can be used instead of the smartphone app. Users would need to keep this device with them to use whenever they will be accessing affected BCIT systems.
Yes, once you have submitted a Service Request Form, the Service Desk will notify those staff and faculty members via email with a link to book an appointment to pick up your token at your designated campus.
Good question! There are multiple supports available:
- We’ll be adding more KB articles about using Duo for MFA as needed. Check the list at the bottom of this article to see all that are available.
- There is a dedicated email inbox – MFA@bcit.ca – for those with questions or concerns about MFA, as well as regular Service Desk Support.
It can if you allow it to (this is a setting that you control on your device). But importantly, the app, once enrolled, actually doesn’t need data to work as an MFA option.
If you do permit the DUO app to use your cellular data on your phone, the amount of data used to receive a DUO push notification in the app is honestly negligible (around 2kb per push). But if you have a very limited data plan, you’re travelling outside of a cellular service area or to a region with higher data roaming rates, or simply don’t wish to permit the DUO app to use any of your data, the App on your phone, once enrolled, can function more like an MFA hardware token (fob) and simply generate a passcode for you to use to confirm a login. You won’t be able to receive a push notification without either a wifi or cellular data connection, but you can still use the app and you can still confirm a login without using data.
Follow the instructions in the Setting up Multi Factor Authentication with Duo on Your Mobile Device or MFA Hardware Token article.
Don’t worry, you don’t need to go home and get your device. Just contact the Service Desk and after confirming your identity, they’ll give you a 12-hour bypass code (this is a 9-digit code that functions a little differently than a regular passcode). This bypass code will allow you to access affected BCIT systems for the day so you can still do your work.
Please call the Service Desk and let them know right away! They can quickly put a 30-day hold on your hardware token so that it can’t be used by anyone else and help you figure out a replacement MFA method.
If it turns out that you just misplaced it and you can find it again within that 30-day hold period, simply contact the Service Desk again to have the hold removed. Otherwise, it’ll be deleted from the system when the 30-day hold is complete.
First of all, if you don’t think you initiated the login attempt, always Deny it. If you only see this occasionally, it’s unlikely to be anything to worry about and you can ignore it after Denying the request. Rarely, a Duo notification can be delayed and show up later, making it seem like it’s not related to your own attempts to login, even though it was.
However, if you get more than three unexpected notifications in a row, this may indicate an attempted attack. If that happens:
- Deny the next confirmation request that you didn’t initiate.
- Tap the Yes button when asked if this was a suspicious login. This will notify IT Services about the issue and include also any available information about the attempted login.
- Go to myBCIT and change your password.
If you’ve already gone through the steps to add the App to your device and enroll it, there are several possible reasons why you may not receive notifications:
- You haven’t turned on notifications for the Duo app on your phone.
- Your phone has no connection to the internet (wifi, cellular, etc.).
- Your phone is not connected to wifi and you haven’t permitted the app to use your cellular data.
- Your phone is in a state in which it cannot receive or notify you about the login attempt (powered off, airplane mode, “do not disturb” or similar status, etc.).
One possibility is that a Focus profile is preventing it. This is a feature introduced in recent versions of iOS.
Depending on your settings, your active Focus profile can suppress Duo Mobile notifications and prevent you from seeing them. To prevent this, add Duo Mobile to the “Allowed Notification Apps” in all relevant Focus profiles.
If the Duo app is not whitelisted like this, when you receive a Duo Push while using one of the Focus profiles, you won’t see DUO Push prompt/alert, and you could eventually end up locking yourself out from DUO due to multiple failed (timed out) MFA attempts.
If you’ve chosen to not secure your phone (so that anyone who picked it up could access anything on it without having to enter a PIN, password, or other secure unlocking option first), it’s simply not secure enough to use for multi factor authentication.
If you want to use the DUO app on your phone, you’ll need to set it up so that you need to first unlock your phone before you can access it.
For more information:
- Duo docs: How does a policy requiring screen lock affect the ability to authenticate via the Duo Mobile app?
- iPhone User Guide: Set a passcode on iPhone
- Android Help: Set screen lock on an Android device
Moving Duo from one phone to another one involves a slightly different process depending on whether the two phones have the same phone number or a different one. In either case, in your browser:
- Go to id.bcit.ca (and if necessary, login with your usual login credentials).
- Click on Manage MFA Devices.
- Note: You will likely be asked to do an additional MFA step – even though you’ve already done so to access id.bcit.ca – to ensure it’s really you, because it’s critical for your account security that a third party not gain access to change your Duo MFA methods.
- If your phone will have the same phone number, click the I have a new phone link on the record of your current device and follow the steps to change the record.
If the new phone has a different phone number, click the blank Add a device button and follow the steps to add an additional device. Once you’ve add another device, you’ll be able to delete the old one.