Setting up Multi-Factor Authentication for Students

Microsoft Authenticator is the only recommended mobile app to use for student MFA at BCIT. It is free and the icon looks like the one displayed here.

Start by downloading the app onto your phone. Download links:

• iOS:
  • Recommended: Microsoft Authenticator in the App Store
• Android:
  • Recommended: Microsoft Authenticator app in the Google Play Store

Once the app is installed on your device (only installed, you don’t need to do anything more at this point), you are ready to set up and enroll your device by following the instructions in the next section.

Note: The instructions below assume you have access to both a laptop or desktop computer and your mobile device, as this is generally the simplest. If you only have your mobile device, you can still follow these instructions but the process will be slightly different at step 4, as noted below.

Once you’ve downloaded the mobile app to your mobile device:

1. On your computer: Go to bcit.ca/mfasetup and login using your usual BCIT credentials (myBCIT email address and password).
2. Click Next to proceed from the “More information required” screen.
   
3. Click Next on the following screen.
4. Click the Next button to proceed to the next screen with a QR code.
   • Note: If you are following this process entirely on your mobile device, you won’t see a QR code, but will instead see a link to pair your account with the app. Tap that link and follow the rest of the instructions.
     
5. On your mobile device: Start the Microsoft Authenticator app on your mobile device and tap the Accept button to permit Microsoft to collect diagnostic data.
6. Choose whether or not to share usage data and tap the Continue button.
7. If you see the screen below at this point (this will only be visible the first time you use the app), tap Scan a QR code and continue from step 10. If you don’t see this screen, continue from step 8.
8. Tap the Add account button (or the + button at the top right).
9. Tap the Work or school account option and then tap Scan QR code on the pop-up that appears.
10. If required, permit the Authenticator app to have access to your camera and scan the QR code on your computer screen.
11. On your computer: Click the Next button on the screen showing the QR code, which will take you to the Let’s try it out screen showing a number and asking you to enter it in the app on your mobile device.
12. On your mobile device: Enter the number shown on your computer, and then confirm your login using whichever phone login method you prefer (face ID, fingerprint, passcode, etc.).
13. Congratulations! You are all set up! You can now confirm your logins when needed on your mobile phone. Click Done.

You may also wish to add alternate MFA methods (see below) to ensure that you can always login when you need to, even if your phone is dead or in the other room.

SafeID tokens will be available for purchase at the BCIT bookstore. SafeID tokens are small physical devices with a button and small screen. When the button is pressed, the screen displays a passcode that can be used to confirm your login. Once you’ve purchased a SafeID token, you can register it yourself.

In a browser:

1. Go to bcit.ca/safeid.
2. Enter your @my.bcit.ca email address and click the submit button.
   
3. You will be redirected to a BCIT login page. Enter your usual BCIT password and click the Sign in button.
4. Click the Register Token button at the top right.
5. On the Register Token page, enter the Serial Number printed on the back of your SafeID token.
6. Click the power button on your SafeID token and enter the first passcode that it displays in the Token Verification Code 1 field.
7. Wait for up to a minute until the second passcode displays and enter it in the Token Verification Code 2 field.
   • Note: The two passcodes that you enter must be consecutive (i.e., you can’t enter the first code that appears and then the third code that appears). If you miss entering the second code, start again with the next generated passcode in the Code 1 field and the next passcode in Code 2.
8. Click the Assign button.
9. There will be a short delay while the token registration process completes. You will know it is complete when the Status changes to “Token <serial number> has been successfully assigned to user <your my.bcit.ca email address>.”
   

Testing a registered SafeID token

To test that your SafeID token will work, in your browser:

1. Go to bcit.ca/mfasetup and login with your usual login credentials (@my.bcit.ca email address and password).
2. Select whether you would like to stay signed in on this computer/device in this browser.
3. If the SafeID token is your only registered MFA method, you will be prompted to use that method first.  To test the SafeID token, click the I can’t use my Microsoft Authenticator app right now link.
   (Note: If you have already registered an authentication app, such as the Microsoft Authenticator app, refer to instructions as previously noted above.)
   
4. Press the power button on your SafeID token and enter the provided passcode when prompted on the Enter code screen, then click the Verify button.
5. If you were successful, you will be prompted once more to decide whether you wish to remain signed in on this specific computer/device and browser. Subsequently, you will be directed to the Security info screen, where you can review all your registered MFA methods, including the SafeID token, which will be identified as “Deepnet Security <serial number>” in the list.

To review and manage your current registered MFA methods, in a browser:

1. Go to bcit.ca/mfasetup and login with your usual login credentials (myBCIT email address and password), confirming the MFA step if necessary.
2. The Security info screen will display a list of all registered MFA methods associated with your account.
   • Note: Phones will be indicated only by phone model and SafeID tokens will be listed as “Deepnet Security <serial number>”.

From here, you can also delete MFA methods (other than SafeID tokens) that you will no longer be using or add additional methods.

BCIT recommends that you use the free Microsoft Authenticator app for multi-factor authentication, and the app and SafeID token are the only methods that the IT Services Desk will be able to support you in using. One way to add additional backup MFA methods is to use the Microsoft Authenticator app and enroll multiple devices (for example, both an iPhone and an iPad).

Any authentication app that supports OATH software tokens is likely (but not guaranteed) to be compatible with MFA at BCIT, although the IT Services Desk will not be able to provide support in setting up or using these. A few of the most popular ones are:

• iOS:
  • Twilio Authy in the App Store
  • Google Authenticator in the App Store
  • LastPass Authenticator in the App Store
  • 1Password in the App Store – Note: 1Password requires a paid account. However, if you already have one and use the app, and you prefer not to install a different app on your device, and can confidently set it up and manage it independently, this could be a viable and suitable option for you.
• Android:
  • Twilio Authy in the Google Play Store
  • Google Authenticator in the Google Play Store
  • LastPass Authenticator in the Google Play Store
  • 1Password in the Google Play Store – Note: 1Password requires a paid account. However, if you already have one and use the app, and you prefer not to install a different app on your device, and can confidently set it up and manage it independently, this could be a viable and suitable option for you.

To add any new additional method, in your browser:

1. Go to bcit.ca/mfasetup and login with your usual login credentials (myBCIT email address and password), confirming the MFA step if necessary.
2. Click Add sign-in method at the top of the list of existing methods.
3. Click the Choose a method drop-down menu and select from the available options.
   • Note: To add another device with the Microsoft Authenticator app installed, or a different compatible app such as one of those listed above, choose Authenticator app. To add a device like a YubiKey, choose Security key.
4. Click the Add button.

If adding the Microsoft Authenticator app, follow the instructions to enroll your mobile device starting at step 3.

If adding a Security key such as a YubiKey, follow the instructions provided.

There are several reasons why you might want to remove your SafeID token from your list of MFA methods, such as in the case of loss or damage. However, please note that removing a SafeID token differs slightly from removing any other method, as it can only be done through the SafeID Token Service website.

In a browser:

1. Go to bcit.ca/safeid.
2. Enter your @my.bcit.ca email address and click the submit button.
   
3. You’ll be redirected to a BCIT login page. Enter your usual BCIT password and click the Sign in button.
4. Click the three vertical dots in the Actions column next to the token you wish to remove and click Unassign.
5. Click the Unassign button in the pop-up to confirm.

Note: If you are changing phones and have both phones available to you, add the new phone first and then remove the old one.

Important: Do not remove your SafeID token using these instructions. Doing so will leave the process only partially complete and you will still need to complete it using the correct method above.

To remove any other MFA method, in a browser:

1. Go to bcit.ca/mfasetup and login with your usual login credentials (myBCIT email address and password), confirming the MFA step if necessary.
2. The Security info screen will display a list of all registered MFA methods associated with your account. Find the method you want to remove and click the Delete link next to it.
3. Click Ok to confirm.

After a short delay, you will see a green confirmation message indicating that you have successfully deleted that method.