Super short version

Various web services at Umeå University require MFA/2FA when logging in with your Umu-id. This is to reduce the risk of your account getting in the wrong hands, just because they managed to guess your password.

Using your mobile phone (private or work) with an Authenticator app is the best option, but other options (such as a YubiKey hardware key) exist.

Note: The CS-account will introduce MFA some time after Umu-id MFA is finished.

How to activate MFA

Introduction

We are employees of a government entity, Umeå University. Since a while back, the Swedish Civil Contingencies Agency (MSB) has decided that all government entities should use Multi/Two Factor Authentication for accessing services available over the Internet.

What is Multi/Two Factor Authentication?

Normally you have a username + password to login. Unfortunately, this info can get into the wrong hands and then someone can act "as you" for malicious purposes.

To protect against this, the normal method is to take "something you know" (password) and add "something you have" (a hardware key or similar) or "something you are" (biometrics like fingerprint/eyes/..).

UmU centrally proposes that we use a mobile phone with the Microsoft Authenticator app as "something you have". This can either be your personal phone (which you probably always bring with you) or a work phone (if you have one). If you already have some other MFA application on your phone (FreeOTP, AndOTP, ..) that supports TOTP you can use that for the Umu MFA as well (if you don't understand this sentence, then you don't need to care).

Umeå University centrally prefers that you only have a single device for MFA (i.e. no redundancy / fallback), and if you forget/destroy your device you need to go and talk to ITS to recover the account (or to use Freja eID+ as an alternative authentication to setup additional MFA devices).

CS Support mostly disagrees with this (explicitly non-redundant) approach, and prefers that you have multiple redundant MFA methods available (i.e. on more than one phone, or one phone and one hardware key, or similar) to handle unforeseen circumstances.

Step 1 is nonetheless to setup MFA on at least one device, and the quick&easy (and self-managed) method is to install the Microsoft Authenticator app on your phone and follow the activation instructions. If you are not comfortable with installing/running this kind of work-software on your personal phone, talk to Support and we'll provide you with an alternative solution in the form of an hardware usb-key (Yubikey)

The Yubikey hardware key is looks like this, and we'll mainly use the smallest versions (the three to the right), the USB-A (regular USB) key is so small that it barely sticks out of the port (and can therefore safely be left connected in the port when you put your laptop in your bag) Yubikeys

Umu-id will start enforcing MFA really soon, for employees in our faculty April 13th (2022-04-13) is the deadline, other faculties will introduce MFA later and some faculties are already using it. Also some administrative services already require it regardless of which faculty you're employed at.

We will need to enable it for CS accounts as well, we'll take this as a later step.

Why should we have this?

Because just using username + password is not good enough anymore. We need to have stronger assurance that "you are you".

FAQ:

  • Q: So what should I do to setup MFA?

    A: Go to the Setup MFA page and follow the instructions.

  • Q: How do I set it up with a YubiKey hardware dongle?

    A: Go to the YubiKey page and follow the instructions.

  • Q: I don't want this, seems like it will be more work for me.

    A: Unfortunately, you're right - it is slightly more work for you - but making it much much harder for a malicious actor. Due to the state of the Internet today - we need this.

  • Q: How often will I need to use this? Every login? Every day? Every week?

    A: For the Umu account, Office 365 desktop apps will ask about once per month. Web services more often - for some, every login.

  • Q: If I forget my phone and need to login at work, what do I do?

    A:

    • Option a) Go home and get it.
    • Option b) Have a redundant MFA device (as we propose).
    • Option c) Visit Infocenter (with ID card) to get a one-time-code.
    • Option d) Use Freja eID+ to authenticate to Umu and setup an additional MFA device.
  • Q: Will all phishing/login attacks be stopped if we enable this?

    A: Unfortunately not. Active directed attacks on us will be a lot harder, but still possible. "Spray and pray" attacks where they gather long lists of known passwords and just try them randomly across the internet will not succeed at all.

  • Q: I have enabled this and I'm using Microsoft Authenticator. I just got a notice that "I" was logging in and need verification, but I wasn't trying to login! Help!

    A: This could either be one of your units trying auto-login again, or it could be a malicious actor trying to hack you. When in doubt, decline. Only verify accesses that you yourself started - just like if you're using BankID (another form of MFA).

  • Q: How will the hardware key work?

    A: You run a small piece of software on the computer that will give you the second factor, but to activate it - you you have to also touch the hardware key (to prove that you're present and a human). Cryptography is involved to make sure that it's the right key for you etc.

  • Q: But I don't have much important stuff on my account, what does it matter?

    A: Your account can be used for quite a lot, and it can also bring bad reputation to the university as a whole. Google for Ransomware if you want to see more bad things.

  • Q: What happens if I keep ignoring this?

    A: More and more services will start requiring this, meaning you will be unable to use Office365, apply for vacation, and other services.

  • Q: What happens if I lose my phone?

    A: If you have redundancy, use that. If not, InfoCenter can issue temporary codes.

  • Q: I am changing phones, what to do?

    A: Add MFA on the new phone before getting rid of / wiping the old.

  • Q: Can I have multiple phones with Microsoft Authenticator?

    A: Yes, but you will get popups on all of them and "the other(s)" won't be dismissed when you approve the login on one of them. Might be better to have the standby phone in TOTP mode (using "I want to use a different authenticator app" in the "Add a method" step).

  • Q: Help!

    A: Talk to CS Support.