2FA required for all accounts by end of 2021

FAQs

What is 2FA?

Two-Factor Authentication (2FA) is a form of multi-factor authentication that helps verify that you are the person who is logging into your account.  It reduces the risk of cyber-attacks such as phishing, malware, and other attempts to take over your account.  Specifically, 2FA verifies your identity by using two methods, or factors, of authentication: something you know (e.g. password), and something you have (e.g. mobile device). 

Why do I need this?

Security attacks are growing in complexity.  Hackers are always on the lookout for security weaknesses, and weak or stolen passwords remain their primary point of entry. Passwords alone are simply no longer enough, which is why 2FA is more important now than ever. With 2FA, even if someone has your password, chances are they don't have your device also.

Is 2FA required?

 To promote a safer online environment and to ensure protected access to all McGill systems, 2FA will be required for all accounts by the end of 2021.  If you arrived at McGill on, or after January 15, 2020, 2FA was automatically enabled on your McGill account.

When will I be prompted to authenticate with 2FA?

  • On campus - 2FA will be required to access applications that involve higher security tasks (e.g., Workday). You will not be prompted for 2FA when logging in from trusted locations or devices, such as McGill-owned computers and laptops.
  • Off campus - You will be prompted every time* you log into most applications (e.g., Office 365, myCourses, Workday, etc.) and on the Virtual Private Network (VPN).

*If you check the box "Don't ask again for 60 days", you will not be prompted again for the same application, except in the following situations:

  • You log in using a different browser or device 
  • You clear your browsing history and/or cookies
  • You log in using "incognito mode" or "private mode"
     
  • screenshot showing the option to check "Don't ask me again for 60 days"

Why is app-based authentication (e.g., Microsoft Authenticator) more secure than text-based?

When SMS (texting) and voice protocols were developed, they were designed without encryption; this means that signals can be intercepted in various ways.  Hackers can trick mobile carriers into redirecting a phone number to a new device, which is known as a SIM swap.  Once a hacker has redirected your phone number, they no longer need your physical phone to access your 2FA authentication codes.  If you sync your text messages with your laptop or tablet, a hacker could gain access to your texts by stealing your device.

An authentication app, such as Microsoft Authenticator, is safer because it doesn’t rely on your mobile carrier. The codes are in the app itself and expire quickly, usually within 30 seconds or so.  An authentication app is also faster because you need only to tap a button to verify your identity instead of manually entering a six-digit code.

I received a Microsoft Authenticator app notification and I was not trying to log in.

If you receive an authenticator app notification when you are not in the process of logging in, select "Deny" to protect your account. If you receive multiple notifications, report it to the IT Service Desk immediately. You are likely being targeted by a cybercriminal.  This is why 2FA is so important;  even if someone has your password, you can block them from accessing account with your mobile device.

Which applications are protected by 2FA?

Most McGill applications now support 2FA, particularly those that involve higher security tasks. Once you have authorized access from a specific device, you can reduce the number of times you are required to authenticate by checking the box "Don't ask again for 60 days" when prompted.

What email applications are supported for use with 2FA?

2FA requires the use of email applications that support Modern Authentication, such as Outlook. See the Index of setup instructions of McGill email for information on supported email applications and devices.

Can I still manage my McGill mailbox from an external email application/service?

IMPORTANT: Staff and faculty are not allowed to forward McGill email to a non-McGill email service; this would be a violation of the Policy on the Responsible Use of Information Technology Resources. For more information, see the IT Knowledge Base article Options for dealing with multiple email services.

What smartphone operating systems are supported?

iOS, Android, and Windows OS are currently supported by 2FA.  If your device uses a different operating system, please contact the IT Service Desk to discuss your options.

How do I change my account settings (e.g. change my phone number, etc.)?

Because your primary phone number and the Microsoft Authenticator app are probably on the same phone, it is important to set up a secondary number.  This will be the fastest way to get back into your account if your phone is lost or stolen.  In fact, it is strongly recommended to set up multiple authentication methods so that if one method becomes unavailable to you, you can choose to authenticate with another method.

For detailed instructions on adding and managing authentication methods, see the  IT Knowledge Base article: View and Modify 2FA and SSPR account settings.

What if I forget my mobile device at home/school/work?

It happens. You left your mobile device at home and now you can't use your phone to verify your identity. If you previously added another method to sign in to your account, such as your office phone, you should be able to use that method now. If you never added an additional verification method, you'll have to contact the IT Service Desk to have your account reset.

To sign in to your work or school account using another verification method:

  1. Sign in to your account normally and choose the Sign in another way link on the Two-factor verification page.
  2. If you don't see the Sign in another way link, it means that you haven't set up any other verification methods. You'll have to contact the IT Service Desk for help signing into your account.

What if my mobile device is lost or stolen?

If you've lost or had your mobile device stolen, you can either sign in using a different method (see FAQ above for instructions) or you can ask the IT Service Desk to clear your settings. We strongly recommend letting the IT Service Desk know if your phone was lost or stolen, so the appropriate updates can be made to your account. After your settings are cleared, you'll be prompted to register for 2FA the next time you sign in.

What if I get a new phone (with the same number)?

Instructions:

  1. Go to https://myprofile.microsoft.com
  2. On the "Security info" tab, click ""Update info".
  3. You will now see the list of authentication methods you set up when configuring 2FA. Next to "Microsoft authenticator" click "Delete".
  4. A window will appear asking "Are you sure you would like to delete this method?" Click "Ok".
  5. Go to https://portal.office.com/ and you should be redirected to a screen that says "More information required". Click "Next".
  6. You will now have the option to download the Microsoft Authenticator app. NOTE: If the data was transferred from your previous phone to your new one, the Microsoft Authenticator app should already be installed, just not connected to your 2FA account. If your data did not get transferred or was lost, you will need to download the Microsoft Authenticator app before proceeding. If you already have the app, click "Next".
  7. Open the Microsoft Authenticator app on your phone. If prompted, allow notifications. Then add an account, and select "Work or school".
  8. Use the Microsoft Authenticator app to scan the QR code. This will connect the Microsoft Authenticator app with your account. After you scan the QR code, choose "Next".
  9. Approve the notification sent to your phone by the app.
  10. Click "Next"on your desktop. Then click "Done".

What if I don't have a mobile phone?

Download Authy on your desktop or laptop.

How do I authenticate if I am traveling?

The Microsoft Authenticator App is recommended when you travel or need to access your McGill account while out of the country.

  • Get the app directly from the App Store (iOS) or Google Play Store (Android).
  • A push notification is sent to your device that you approve to verify your identity.
  • The app also generates a one-time authentication code every 30 seconds if the push notification is unavailable.
  • No internet connection or data are required.
  • The app is not tied to your phone number and will work if you need to purchase or rent a new SIM card.
  • No roaming fees (when using the MS Authenticator app)

If you are using text as the default authentication method, there are two ways to switch to the Authenticator app.  Note that Method 1 changes your default authentication method for all subsequent sign-ins, while method 2 allows you to use a different one-time method.

  1. Go to https://aka.ms/mfasetup. Next to Default sign-in method click Change and select Microsoft Authenticator - notification from the drop-down menu. NOTE: You must first add the Microsoft Authenticator as one of your preferred authentication methods (see arrow in screenshot below). To add it, click Add method and select Authenticator app from the drop-down menu.
    screenshot of authentication methodsscreenshot of drop down menu with authentication options
  2. When prompted to enter an authentication code select Sign in another way and choose Approve a request on my Microsoft Authenticator app or Use a verification code from my mobile app. NOTE: You must first install the Microsoft Authenticator app on your device.
    screenshot that highlights the sign in another way optionscreenshot highlighting other authentication options

What is Self-Service Password Reset (SSPR)?

Self-Service Password Reset (SSPR) is a Microsoft feature that provides 2FA users with the ability to reset their own password if they have forgotten it, or are locked out of their account.  You can reset your password using two of the authentication methods you set up when configuring 2FA, such as acknowledging a notification or text message sent to your mobile device.

NOTE: When you reset your password using SSPR you are resetting your McGill password that you use in conjunction with your McGill username.  This is the same password you use to login to your computer, Minerva, D2, etc. 

Can I have access to SSPR without opting in to 2FA?

No, you can only access SSPR if you have opted in to 2FA. SSPR is one of the benefits of opting in.

Will 2FA affect my Virtual Private Network (VPN) access?

IMPORTANT UPDATE: As of May 5, 2020, VPN access requires 2FA. Until you enable 2FA, you will receive an error message stating "Sorry, but we're having trouble signing you in" when attempting to connect.

VPN authentication steps for 2FA users:

Log in to the VPN using Cisco AnyConnect and press Connect.

You will be taken to a login form similar to the one used for connecting to Office 365. Enter your McGill username (firstname.lastname [at] mcgill.ca). If you are prompted to pick an account, select your McGill username.

The following screen will appear. Log in with your McGill username and password. 

You will be prompted for a second method of authentication, based on your 2FA default sign-in method.

Once you have authenticated, select Yes or No to choose whether you want to stay signed in.

Click Accept on the next screen to consent to the terms of using Cisco AnyConnect.

A screen will appear, confirming that you are now connected to the VPN.

 

2FA is supported by various resources including:

McGill IT Knowledge Base

Microsoft

  • Microsoft's website provides great resources and training support.

IT Service Desk

Secure your journey

Secure your journey is McGill's cybersecurity awareness campaign.  Securing your McGill journey means taking steps to protect yourself, your work, and the McGill community at large. Find tools and resources to help you at mcgill.ca/cybersafe.

Back to top