Multi-Factor Authentication

What is Multi-Factor Authentication (MFA)?

As cybersecurity threats become increasingly sophisticated, Queen's is joining institutions around the world in adopting multi-factor authentication (MFA) as a way to keep our employees’ digital assets, information and user identities safe. Multi-Factor Authentication (MFA) is an authentication method in which a user is granted access to services only after successfully presenting two or more pieces of evidence to prove their identity. MFA-enabled services at Queen's University use Microsoft's Azure MFA. 

MFA at Queen's

Learn more about how multi-factor authentication (MFA) is integrated into applications and onboarding at Queen's.

Multi-factor authentication protected applications can prompt for MFA as short as every 4 hours to up to 30 days depending on the security settings of the application. MFA may only be applied to those accounts that have enrolled in MFA or access could be blocked unless the user has MFA setup on their account.

Multi-Factor Authentication-Protected Applications

Application Name MFA Session Time Group(s) MFA Applied to
acQuire 12 hours Staff, students, faculty who have enrolled in MFA
Campus VPN Matches VPN session Time Staff, students, faculty who have enrolled in MFA
Data Centre VPN Matches VPN session Time All - enforced  
FAST 4 hours Staff, students, faculty who have enrolled in MFA
Library Systems - Omni / Proxy 12 hours Staff, students, faculty who have enrolled in MFA
Office 365 - All applications (Exchange Online, Teams, One Drive, SharePoint etc.) 30 days Staff, students, faculty who have enrolled in MFA
PeopleSoft Finance 4 hours Staff, students, faculty who have enrolled in MFA
PeopleSoft HR 4 hours Staff, students, faculty who have enrolled in MFA
ServiceNow 30 days Administrators/ITS Staff only
SOLUS 30 days All - enforced
Tableau 12 hours All - enforced
Windows Virtual Desktop (Azure WVD) 30 days Staff, students, faculty who have enrolled in MFA

All Queen's Staff are required to enrol in MFA to access services such as Office 365 and PeopleSoft.

To learn more about MFA , visit the MFA Service Page.

New Employees - First Logon

When a new employee logs into an MFA protected application for the first time, they will be prompted to register for MFA.

A screenshot of the login page showing option to skip enrolling in MFA or to set up enrolment now.

If the employee is prepared to register for MFA, they can click Next to proceed with setup either via the Microsoft Authenticator App or SMS text on their mobile device. If they wish to delay registration they can select the Skip for now link and proceed to the application as normal. 

Those that skip the registration will have 14 days from that time to enrol in MFA. They will be prompted to enrol each time they log into an application and will be able to use the skip for now option until the 14 runs out, at which time they will not be able to log in until they have registered. It is important to register before the end of the 14 days to maintain access to email. 

Hardware Tokens

For employees that do not have a mobile device or do not wish to use their personal device for authentication, MFA Hardware Tokens can be requested using the MFA Token Request Form - be sure to indicate this request is for a new employee as the token may take more than 14 days to arrive if being mailed to the employees home. The employee will be removed from the MFA registration policy to ensure they do not lose access while waiting for their token.

 

Returning Employees - less than 1 year

Employees who have registered for MFA and have been on leave, or have returned within 1 year of previous employment will be required to use MFA immediately. If the employee no longer has the same mobile phone or had disposed of their hardware token they should contact the IT Services Support centre to have their previous authentication settings wiped from their account, enabling them to re-enrol.

 

All students who are registered in Queen's courses are required to enrol in MFA. Enrolling allows students to access services such as Office 365 and SOLUS. Please note that MFA is not available for applicants at this time.

MFA Enrollment Process

Step 1: Install the Microsoft Authenticator app on your mobile device prior to enrolling in MFA. The app is available for both Android and iOS

Step 2: Open a web browser on your computer or mobile device and navigate to the MFA enrolment page

Unenrolled Students

Once per term, registered students who have not yet enrolled in MFA will be prompted to enroll when accessing an MFA-protected service. The below message will appear:

A screenshot of the login page showing option to skip enrolling in MFA or to set up enrolment now.

If you are prepared to register for MFA, click Next to proceed with setup. It is strongly recommended that you install and use the Microsoft Authenticator App for your second factor as it does not rely on cellular phone service, which becomes very important when travelling abroad or changing your phone number. You can select the Skip for now link to delay registration for 14 days and proceed to the protected application as normal. 

It is important to register before the end of the 14 days to maintain access to MFA protected services. 

To learn more about MFA, please visit the MFA Service Page.

 

Enrolling in MFA

Enrolling in MFA is easy. Check out our service page in the knowledge base to learn how to get started.

Multi-Factor Authentication

How to Sign in Using MFA

Once you've enabled MFA, it's easy to sign in to applications. Check out our tutorials in the knowledge base for more information.

Signing in with MFA

Configuring the Microsoft Authenticator App

Log into the MFA Registration Site with your NetID@queensu.ca credentials to select your preferred authentication method. IT Services strongly recommends that users enroll in MFA using the Microsoft Authenticator App, available from the Apple App Store or the Google Play Store. Check out our tutorial to learn how to configure the Authenticator app.

View the Tutorial