What is Multi-Factor Authentication (MFA)?
As cybersecurity threats become increasingly sophisticated, Queen's is joining institutions around the world in adopting multi-factor authentication (MFA) as a way to keep our employees’ digital assets, information and user identities safe. Multi-Factor Authentication (MFA) is an authentication method in which a user is granted access to services only after successfully presenting two or more pieces of evidence to prove their identity. MFA-enabled services at Queen's University use Microsoft's Azure MFA.
MFA at Queen's
Learn more about how multi-factor authentication (MFA) is integrated into applications and onboarding at Queen's.
Multi-factor authentication protected applications can prompt for MFA as short as every 4 hours to up to 30 days depending on the security settings of the application. MFA may only be applied to those accounts that have enrolled in MFA or access could be blocked unless the user has MFA setup on their account.
|Application Name||MFA Session Time||Group(s) MFA Applied to|
|Campus VPN||Matches VPN session Time||Staff, Students, Faculty who have enrolled in MFA|
|Data Centre VPN||Matches VPN session Time||All - Enforced|
|Office 365 - All applications (Exchange Online, Teams, One Drive, SharePoint etc.)||30 days||Staff, Students, Faculty who have enrolled in MFA|
|PeopleSoft Finance||4 hours||Staff, Students, Faculty who have enrolled in MFA|
|PeopleSoft HR||4 hours||Staff, Students, Faculty who have enrolled in MFA|
|ServiceNow||30 days||Administrators/ITS Staff only|
|Windows Virtual Desktop (Azure WVD)||30 days||Staff, Students, Faculty who have enrolled in MFA|
All Queen's Staff are required to enrol in MFA to access services such as Office 365 and PeopleSoft.
To learn more about MFA , visit the MFA Service Page.
New Employees - First Logon
When a new employee logs into an MFA protected application for the first time, they will be prompted to register for MFA.
If the employee is prepared to register for MFA, they can click Next to proceed with setup either via the Microsoft Authenticator App or SMS text on their mobile device. If they wish to delay registration they can select the Skip for now link and proceed to the application as normal.
Those that skip the registration will have 14 days from that time to enrol in MFA. They will be prompted to enrol each time they log into an application and will be able to use the skip for now option until the 14 runs out, at which time they will not be able to log in until they have registered. It is important to register before the end of the 14 days to maintain access to email.
For employees that do not have a mobile device or do not wish to use their personal device for authentication, MFA Hardware Tokens can be requested using the MFA Token Request Form - be sure to indicate this request is for a new employee as the token may take more than 14 days to arrive if being mailed to the employees home. The employee will be removed from the MFA registration policy to ensure they do not lose access while waiting for their token.
Returning Employees - less than 1 year
Employees who have registered for MFA and have been on leave, or have returned within 1 year of previous employment will be required to use MFA immediately. If the employee no longer has the same mobile phone or had disposed of their hardware token they should contact the IT Services Support centre to have their previous authentication settings wiped from their account, enabling them to re-enrol.
Configuring the Microsoft Authenticator App
Log into the MFA Registration Site with your NetID@queensu.ca credentials to select your preferred authentication method. IT Services strongly recommends that users enroll in MFA using the Microsoft Authenticator App, available from the Apple App Store or the Google Play Store. Check out our tutorial to learn how to configure the Authenticator app.View the Tutorial