What is Multi-Factor Authentication (MFA)?
As cybersecurity threats become increasingly sophisticated, Queen's is joining institutions around the world in adopting multi-factor authentication (MFA) as a way to keep our employees’ digital assets, information and user identities safe. Multi-Factor Authentication (MFA) is an authentication method in which a user is granted access to services only after successfully presenting two or more pieces of evidence to prove their identity. MFA-enabled services at Queen's University use Microsoft's Azure MFA.
MFA at Queen's
Learn more about how multi-factor authentication (MFA) is integrated into applications and onboarding at Queen's.
Multi-factor authentication protected applications can prompt for MFA as short as every 4 hours to up to 30 days depending on the security settings of the application. MFA may only be applied to those accounts that have enrolled in MFA or access could be blocked unless the user has MFA setup on their account.
Check out the full list of MFA-protected applications (you will be prompted to enter you NetID and password).
All Queen's Staff are required to enrol in MFA to access services such as Office 365 and PeopleSoft.
To learn more about MFA , visit the MFA Service Page.
New Employees - First Logon
When a new employee logs into an MFA protected application for the first time, they will be prompted to register for MFA.
If the employee is prepared to register for MFA, they can click Next to proceed with setup either via the Microsoft Authenticator App or SMS text on their mobile device. If they wish to delay registration they can select the Skip for now link and proceed to the application as normal.
Those that skip the registration will have 14 days from that time to enrol in MFA. They will be prompted to enrol each time they log into an application and will be able to use the skip for now option until the 14 runs out, at which time they will not be able to log in until they have registered. It is important to register before the end of the 14 days to maintain access to email.
For employees that do not have a mobile device or do not wish to use their personal device for authentication, MFA Hardware Tokens can be requested using the MFA Token Request Form - be sure to indicate this request is for a new employee as the token may take more than 14 days to arrive if being mailed to the employees home. The employee will be removed from the MFA registration policy to ensure they do not lose access while waiting for their token.
Returning Employees - less than 1 year
Employees who have registered for MFA and have been on leave, or have returned within 1 year of previous employment will be required to use MFA immediately. If the employee no longer has the same mobile phone or had disposed of their hardware token they should contact the IT Services Support centre to have their previous authentication settings wiped from their account, enabling them to re-enrol.
All students who are registered in Queen's courses are required to enrol in MFA. Enrolling allows students to access services such as Office 365 and SOLUS. Please note that MFA is not available for applicants at this time.
MFA Enrollment Process
For students who wish to use a mobile device for their second authentication factor, follow the steps below:
- Step 1: Install the Microsoft Authenticator app on your mobile device prior to enrolling in MFA. The app is available for both Android and iOS.
- Step 2: Open a web browser on your computer or mobile device and navigate to the MFA enrolment page.
For students that do not have a mobile device or do not wish to use their personal device for authentication, MFA Hardware Tokens can be requested using the MFA Token Request Form.
Registered students who have not yet enrolled in MFA will be prompted to enroll when accessing an MFA-protected service. The below message will appear:
If you are prepared to register for MFA, click Next to proceed with setup. It is strongly recommended that you install and use the Microsoft Authenticator App for your second factor as it does not rely on cellular phone service, which becomes very important when travelling abroad or changing your phone number. You can select the Skip for now link to delay registration for 14 days and proceed to the protected application as normal.
It is important to register before the end of the 14 days to maintain access to MFA protected services.
To learn more about MFA, please visit the MFA Service Page.
Accounts requested for special purposes, such as generic and shared accounts, are also required to enrol in MFA. When a new generic account is created, it will be prompted to enrol in MFA upon first logon to any Azure-Integrated application (such as Microsoft 365 or OnQ).
Recommendations for Shared Accounts
- Use the Microsoft Authenticator app with the default method set to: “App-based authentication" or "Hardware token – code"
- Request a hardware token for access to a generic account if you do not have a mobile device. MFA Hardware Tokens can be requested using the MFA Token Request Form.
Review full recommendations (including opt-out option) by checking out our detailed MFA Recommendations for Generic Accounts.
Configuring the Microsoft Authenticator App
Log into the MFA Registration Site with your NetID@queensu.ca credentials to select your preferred authentication method. IT Services strongly recommends that users enroll in MFA using the Microsoft Authenticator App, available from the Apple App Store or the Google Play Store. Check out our tutorial to learn how to configure the Authenticator app.View the Tutorial