BCIT is moving to multi-factor authentication (MFA) for all faculty, staff, and contractors on the most frequently used BCIT systems in order to improve our information security and prevent potential privacy and security breaches. This move will also help us to be in compliance with our cybersecurity insurance requirements. We are implementing a tool, Duo, which will require that you do an additional step, usually only once or twice a day, when authenticating to frequently used BCIT systems and applications.
General questions about MFA and Duo
Multi factor authentication means using more than one “factor” to verify a user’s identity at a login point. Until now, BCIT has been using single factor authentication – where that single factor is your usual BCIT password – to confirm that you are who you say you are when you try to login to a BCIT system or tool.
With the move to multi factor authentication, you’ll still need to first provide your usual BCIT login credentials (your BCIT email address and password), but we’re adding an additional factor to be checked, usually either access to an enrolled mobile app on your smartphone to confirm your login attempt or your possession of a device (fob) that can provide a pass code. The second authentication step is an added layer of security on top of your existing credentials.
Login credentials are valuable and are increasingly easy to compromise. Over 90% of breaches today involve compromised usernames and passwords. A majority of cybersecurity incidents have come from compromised passwords, and MFA is designed to reduce this risk. By requiring two different channels of authentication, your login credentials are protected from remote attacks. MFA prevents anyone but you from accessing your account, even if they know your password. Implementing MFA is in line with best practices and will protect our systems and prevent our data from being compromised.
MFA is being launched for all faculty, staff, and contractors (not students) on September 28, 2022, with an early enrolment period starting on September 12.
On September 12, all affected users will receive an email inviting them to enrol with Duo in advance of the launch date. If you enrol early, September 28 should go very smoothly for you, and you’ll be able to start using MFA with your enrolled device or fob right away. If you haven’t enrolled prior to the September 28 deadline, you’ll need to enrol on that day, and you’ll be prompted to do so on your first attempt to login to an affected system.
We strongly recommend enrolling during the early enrolment period so that you have time to resolve any issues ahead of time.
Duo is the vendor that BCIT is partnering with to provide MFA at BCIT. Duo has extensive experience with implementing MFA at post-secondary institutions, and their solution is flexible and extensible so that we can extend it to more systems over time and as needed. Duo’s MFA solution includes simple and effective mobile apps which will make it easy for most users to simply install the app, enroll their device, and then just use it from then on to quickly confirm their identity when they need to login. We believe that this will make for a relatively simple transition for most users.
To start with, there are four main systems which will have MFA applied to them. They are:
- id.bcit.ca – This is the standard BCIT login screen that you use when you’re accessing many different applications and systems, including the Loop, myBCIT, the Learning Hub, and others. Login to id.bcit.ca and view the dashboard to see the complete list of applications that you can access via this service and which will therefore be affected by the change.
- Exchange Online and OneDrive Online
- Workspace
Please note: myVPN has been removed from the list of affected systems at launch.
Not ordinarily! In most cases you’ll be able to check an option to remember your device for 12 hours. Most users will only need to do MFA once or twice per day, depending on how they interact with BCIT systems. Users who utilize multiple devices or browsers, who frequently access a variety of applications, or who commonly use incognito/private browser windows, frequently restart, etc., may need to do MFA a little more often.
If you are using one browser on one computer without restarting during the day, and you use the “remember your device” option, then the theoretical maximum number of times you’d need do MFA would be three:
- once for id.bcit.ca
- once for webmail.bcit.ca or onedrive.bcit.ca (logging into one also logs you into the other)
- once for workspace.bcit.ca
The simplest option, and then one we recommend, is to install the Duo Mobile app on your personal smartphone. With this app, once you’ve gone through the initial setup process once, you can quickly confirm that you are the person attempting to log into your account either in the app or by entering a generated pass code from the app on the login page. Many people are already used to carrying their smartphone with them, so having it available whenever they need to access an affected work system is likely to be the easiest.
If you don’t have a smartphone or you’d simply prefer not to use your personal device, you can request a Duo hardware token (key fob). These devices will need to be carried with you whenever you anticipate needing to access an affected work system. They provide a numerical passcode that you would then enter into the login page to confirm your identity.
If there comes a day when you have forgotten to bring your smartphone or hardware token with you to work, the IT Services Help Desk can provide you with a one-time passcode.
There are a couple of main differences between using the Duo Mobile app on a mobile device and using a hardware token to confirm your login.
It’s important to note that you can actually use the Duo Mobile app in two ways:
- Confirming your logins by displaying push notifications for you to respond to on your device. This option requires a wifi or data connection but uses very minimal amounts of data if you’re not connected to wifi – less than 2kb per notifications (and you can decide to turn off cellular data for the app if you’d still prefer not to use data when not connected to wifi).
- Confirming your logins by providing a generated passcode that you then enter into the login confirmation screen. This option means that the Duo Mobile app is basically functioning as though it were a hardware token. It does not require a wifi or data connection so there is no cost to users for using the Duo Mobile app on their device in this way.
A hardware token is a small device with a single button that only provides you a passcode to enter on the login confirmation screen. It does not require any kind of connection and has a battery that is expected to last for a year at a time.
| Task | Duo Mobile app push notifications | Hardware token | Duo Mobile app passcode generator |
|---|---|---|---|
| Logging in to id.bcit.ca, workspace.bcit.ca, and Outlook online or OneDrive online |
|
|
|
There are a couple of main differences between using the Duo Mobile app on a mobile device and using a hardware token to confirm your login.
It’s important to note that you can actually use the Duo Mobile app in two ways:
- Confirming your logins by displaying push notifications for you to respond to on your device. This option requires a wifi or data connection but uses very minimal amounts of data if you’re not connected to wifi – less than 2kb per notifications (and you can decide to turn off cellular data for the app if you’d still prefer not to use data when not connected to wifi).
- Confirming your logins by providing a generated passcode that you then enter into the login confirmation screen. This option means that the Duo Mobile app is basically functioning as though it were a hardware token. It does not require a wifi or data connection so there is no cost to users for using the Duo Mobile app on their device in this way.
A hardware token is a small device with a single button that only provides you a passcode to enter on the login confirmation screen. It does not require any kind of connection and has a battery that is expected to last for a year at a time.
| Task | Duo Mobile app push notifications | Hardware token | Duo Mobile app passcode generator |
|---|---|---|---|
| Logging in to id.bcit.ca, workspace.bcit.ca, and Outlook online or OneDrive online |
|
|
|
For users who are unable or unwilling to install the Duo Mobile app on their personal device, BCIT can provide a hardware token (fob key). This device, which generates numeric passcodes when needed to confirm a user’s identity, can be used instead of the smartphone app. Users would need to keep this device with them to use whenever they will be accessing affected BCIT systems.
Yes, once you have submitted a Service Request Form, the Service Desk will notify those staff and faculty members via email with a link to book an appointment to pick up your token at your designated campus.
Good question! There will be multiple supports available:
- We’ll be adding more KB articles about using Duo for MFA as we get closer to the launch date. Check the list at the bottom of this article to see all that are available.
- There are detailed information sessions – Multi Factor Authentication (MFA): Enrolling and Setting up your Device in Duo. In these optional sessions, participants will be provided an overview of multi factor authentication, instructions on how to enrol and set up your device or to request a fob, and an explanation of what to expect on the launch date. Checked out the linked Loop post for dates and registration information.
- There is a dedicated email inbox – MFA@bcit.ca – available now through the launch period for those with questions or concerns about MFA, as well as regular Service Desk Support.
It can if you allow it to (this is a setting that you control on your device). But importantly, the app, once enrolled, actually doesn’t need data to work as an MFA option.
If you do permit the DUO app to use your cellular data on your phone, the amount of data used to receive a DUO push notification in the app is honestly negligible (around 2kb per push). But if you have a very limited data plan, you’re travelling outside of a cellular service area or to a region with higher data roaming rates, or simply don’t wish to permit the DUO app to use any of your data, the App on your phone, once enrolled, can function more like an MFA hardware token (fob) and simply generate a passcode for you to use to confirm a login. You won’t be able to receive a push notification without either a wifi or cellular data connection, but you can still use the app and you can still confirm a login without using data.
Follow the instructions in the Setting up Multi Factor Authentication with Duo on Your Mobile Device or MFA Hardware Token article.
Troubleshooting
Don’t worry, you don’t need to go home and get your device. Just contact the Service Desk and after confirming your identity, they’ll give you a 12-hour bypass code (this is a 9-digit code that functions a little differently than a regular passcode). This bypass code will allow you to access affected BCIT systems for the day so you can still do your work.
First of all, if you don’t think you initiated the login attempt, always Deny it. If you only see this occasionally, it’s unlikely to be anything to worry about and you can ignore it after Denying the request. Rarely, a Duo notification can be delayed and show up later, making it seem like it’s not related to your own attempts to login, even though it was.
However, if you get more than three unexpected notifications in a row, this may indicate an attempted attack. If that happens:
- Deny the next confirmation request that you didn’t initiate.
- Tap the Yes button when asked if this was a suspicious login. This will notify IT Services about the issue and include also any available information about the attempted login.
- Go to myBCIT and change your password.
If you’ve already gone through the steps to add the App to your device and enroll it, there are several possible reasons why you may not receive notifications:
- You haven’t turned on notifications for the Duo app on your phone.
- Your phone has no connection to the internet (wifi, cellular, etc.).
- Your phone is not connected to wifi and you haven’t permitted the app to use your cellular data.
- Your phone is in a state in which it cannot receive or notify you about the login attempt (powered off, airplane mode, “do not disturb” or similar status, etc.).
One possibility is that a Focus profile is preventing it. This is a feature introduced in recent versions of iOS.
Depending on your settings, your active Focus profile can suppress Duo Mobile notifications and prevent you from seeing them. To prevent this, add Duo Mobile to the “Allowed Notification Apps” in all relevant Focus profiles.
If the Duo app is not whitelisted like this, when you receive a Duo Push while using one of the Focus profiles, you won’t see DUO Push prompt/alert, and you could eventually end up locking yourself out from DUO due to multiple failed (timed out) MFA attempts.
If you’ve chosen to not secure your phone (so that anyone who picked it up could access anything on it without having to enter a PIN, password, or other secure unlocking option first), it’s simply not secure enough to use for multi factor authentication.
If you want to use the DUO app on your phone, you’ll need to set it up so that you need to first unlock your phone before you can access it.
For more information:
- Duo docs: How does a policy requiring screen lock affect the ability to authenticate via the Duo Mobile app?
- iPhone User Guide: Set a passcode on iPhone
- Android Help: Set screen lock on an Android device
Don’t worry! The app is free. If you’re being asked to pay for the app, it’s the wrong app. The correct app is called “Duo Mobile” and has this green logo:
Links to the correct apps:
- iOS: Download Duo Mobile in the App Store
- Android: Download Duo Mobile in the Google Play Store