What is Multifactor Authentication (MFA)?
Multifactor authentication (MFA) seeks to minimize the likelihood that others can access your data. Specifically, it enhances the security of your login information by using your phone, tablet or other device to verify your identity when you attempt to access Fairfield U's network and resources from an off-campus location.
It takes two items to access and update your information: “something you know” (like your password) and “something you have” (like your phone). For example, when you visit an ATM, one authentication factor is the ATM card you use to start the transaction - that’s the “something you have.” Next, you enter a PIN, which is the “something you know.” Without both of these factors, access will not be granted to your account.
Why Do I Need to Use MFA?
Passwords are becoming increasingly easy to compromise and they can be stolen, guessed, or hacked. New technology and hacking techniques combined with the limited pool of passwords most people use for multiple accounts means information online is increasingly vulnerable. In many cases, people do not realize when someone else has their password and their accounts are being accessed without authorization.
In addition, malicious emails are far too common and becoming increasingly difficult to recognize. It is easy to fall prey to these kinds of scams, most of which are used to steal account passwords. We have to take steps to ensure that we are more than just a single click away from having our paycheck stolen or becoming a victim of identity theft. Multifactor Authentication adds a second layer of security to your account to make sure that your account stays safe, even if someone else knows your password. This second factor of authentication is separate and independent from the username and password — MFA never uses or sees your password.
Who is eligible to use MFA?
The university’s implementation of MFA will include all faculty and staff.
Am I required to use two-factor authentication?
Once your NetID has been enrolled for the service, you will be required to use MFA when logging from an off-campus location into OWA (Outlook Web Access), VPN, and my.fairfield.edu.
Does MFA see my password?
No, the university system verifies your password with its internal systems as before, and never sends it to MFA. The MFA service only provides the second factor— “something you have.” In fact, MFA stores very little information—just enough so it can do its job.
What is the definition of “Off-Campus”?
Off-campus is anywhere other than:
- Wi-Fi: FACSTAFF-S
- Wired network on campus
All Guest Wi-Fi Networks are considered off-campus locations.
How does the MFA service work at Fairfield U?
Once you have signed up for MFA, when you attempt to access a protected university application from an off-campus location, you will be prompted to enter your username and password as usual (the first “factor”). You will then be taken to the MFA screen where you will select the device of your choice and the preferred method of verification—push notification, a phone call, or a passcode—you will use to verify that it’s you (the second “factor”).
What devices can I use for the second factor?
You can use your mobile phone, a landline, or a tablet as your second factor. When you are doing your initial setup, you may add as many devices as you like (landline and/or mobile). Subsequently, when you are logging in you can choose which device the authentication request is sent to and which authentication method you would like (via Duo Mobile App, SMS text message, or phone call).
Is there a limit on the number of MFA devices?
There is no limit on the number of devices that can be added. We recommend that all users add at least 2 devices, such as a cellphone/smartphone and a landline/desk phone.
How long does it take to enroll/register a device for MFA?
Typically, 5 minutes or less. ITS Help Desk can help with the setup process, if required.
Do I need to have a smartphone to use MFA?
No, you can also use a cell phone (“flip phone”), landline (such as your office or home phone), or tablet. Smartphones provide the most flexibility and ease of use via the mobile app and are recommended.
Does it cost me money to authenticate with my phone?
“Push” authentication uses a very small amount of Internet data traffic to function (a few kilobytes per login). Text messages and voice calls are sent only when you request them, and would be billed by your carrier like any other text message or inbound voice call. The Duo mobile app also works like a token and will generate a passcode, this functionality will not require any data and works even when your smart phone is in “airplane” mode.
What if I don’t have a data plan on my phone?
The Duo smart phone app provides options that work without a data plan, a texting plan or even a connection, if necessary. The app can generate the required code without need of either a cell signal or data plan, and it can do so anywhere in the world. If you have a signal and data plan, the app makes two-factor authentication as easy as a pushing a single button, but if you don’t, you can use the app to generate a six-digit code and enter that instead.
Can I use the MFA app internationally?
The MFA smart phone app is designed to work internationally. If you install the app, it can generate the required code without need of either a telephone signal or data plan, and it can do this anywhere in the world. If you have a signal and data plan, the app makes two-factor authentication as easy as a pushing a single button, but if you don’t have one of those two things, you can use the app to generate a six-digit code and enter that manually.
Can the system handle international phone numbers?
Yes, MFA can handle international phone numbers. If entering an international phone number, you can leave a space between country code, city code, and the phone number.
How often do I need to use the second factor authentication?
You will be required to MFA every time you log in to the VPN service, when off-campus. When signing into OWA and my.fairfield.edu, you will have the option to remember your session for 24 hours. If you select this option, you will not be required to MFA on those services if you sign in again on the same device within 24 hours. This functionality is also browser based so if you switch browsers, the system will prompt you to MFA again even if you selected the option to remember your previous session.
What if I forget my smartphone at home?
We encourage users to set up multiple authentication devices with MFA, so that when one method is unavailable, you have others from which to choose. For example, you could set up your smartphone for “push” and also your office phone and home phone to do callback. If none of your devices is available, contact the ITS Help Desk and they will be able to provide a one-time code after verifying your identity.
What happens if I lose my phone?
Contact the ITS Help Desk immediately if you lose your phone or suspect that it's been stolen. The support specialist will disable it for MFA and help you log in using a one-time code. While it's important that you contact the Help Desk if you lose your phone, remember that your password will still protect your account.
I’ve selected to automatically send push notifications to my phone, but I need to authenticate using another device.
If you have checked the box that allows you to send a push to your mobile phone, you will automatically receive push notifications every time you are required to use MFA. The rest of the DUO screen will then be blurred out (as shown below):
If you need to push the notification to another device, hit CANCEL at the bottom right of the screen. This will allow you to authenticate with another previously-registered device. If you no longer wish to receive automatic push notifications, uncheck the box next to “Automatically send a push”. You can then Log In to your desired page or manage your devices.
What if I don’t have a mobile connection?
The Duo Mobile App can generate a passcode without a cellular or wireless connection. This number can then be typed on the authentication screen for your second factor. Alternately, you may also use a landline phone if an internet connection is unavailable assuming you have already setup this device type.
What is the user experience if you are using your phone or an iPad on a cellular network or on a non-Fairfield Wi-Fi network and need to log in?
You will be prompted to MFA since this is considered an off-campus network. If the registered device is the same as the one being used to login, the Duo app will notify & prompt for confirmation and users can confirm access the usual way. Alternatively, a secondary device can also be used to confirm the MFA.
Why am I unable to see the full Duo prompt in the Safari browser?
As seen in the picture below, only 2 authentication methods are visible and the option to "Push" is not available.
This is a known issue in the Safari browser due to the default settings enabled by the browser. To fix this, follow the steps below:
- Open ..
- Click ...
Scrollbars will be visible now in the Duo prompt and any hidden text will be accessible by scrolling down in the window.
MFA Device Management
How do I add a new device or manage an existing one?
Please refer to the MFA Self-Service Guides for instructions on managing devices and enrolling/registering a new phone, tablet, desk phone. You have an option to manage devices either from the MFA prompt during login or via the Device Management Portal created specifically for this purpose.
What happens if I upgrade or replace my phone with the same number?
If you have a new phone with the same number, it can be activated using the steps as before. See the section on MFA Self-Service for directions on how to enable the mobile app and activate MFA Service.