Opt in to 2FA

FAQs

What is 2FA?

Two-Factor Authentication (2FA) is a form of multi-factor authentication that helps verify that you are the person who is logging into your account.  It reduces the risk of cyber-attacks such as phishing, malware, and other attempts to take over your account.  Specifically, 2FA verifies your identity by using two methods, or factors, of authentication: something you know (e.g. password), and something you have (e.g. mobile device). 

Why do I need this?

Security attacks are growing in complexity.  Hackers are always on the lookout for security weaknesses, and weak or stolen passwords remain their primary point of entry. Passwords alone are simply no longer enough, which is why 2FA is more important now than ever. With 2FA, even if someone has your password, chances are they don't have your device also.

Is 2FA mandatory?

If you arrived at McGill...

  • prior to January 15, 2020: 2FA is considered optional for now, but will eventually be mandatory for the entire McGill community as we work toward increasing cybersecurity across campus. Information security is a top priority at McGill, therefore it is strongly recommended that you opt in to help protect your identity and secure your data.  Compromised credentials are considered the main cause of data breaches and universities are a growing target for data theft. 2FA has become the go-to method to help protect user identities. 
  • on, or after January 15, 2020: 2FA is mandatory and automatically enabled for your McGill account.
As of May 5th, 2020, 2FA will be mandatory for Virtual Private Network (VPN) access. Details

When will I be prompted to authenticate with 2FA?

  • On campus - in most cases you will not be prompted. However, 2FA will be required for access to applications that involve more secure tasks (e.g. Workday). In this case, you will be prompted every time, on both the wired and wireless networks.
  • Off campus - you will be prompted every time* you log into most browser-based applications (Office 365, D2L, Workday, etc.) and on the Virtual Private Network (VPN) as of May 5th, 2020.

*You can reduce the number of times you are asked to sign-in by checking the box "Don't ask again for 60 days" when you set up 2FA.  

I received a Microsoft Authenticator app notification and I was not trying to log in.

If you receive an authenticator app notification when you are not in the process of logging in, select "Deny" to protect your account. If you receive multiple notifications, report it to the IT Service Desk immediately. You are likely being targeted by a cybercriminal.  This is why 2FA is so important;  even if someone has your password, you can block them from accessing account with your mobile device.

Which applications are protected by 2FA?

Applications that support 2FA include Office 365, VPN, Workday, Sunlife, and other McGill web-based applications.  As McGill's 2FA deployment strategy progresses, additional applications will also require 2FA. 

What email applications are supported for use with 2FA?

  • Fully supported email app: Outlook 2016 or above (Windows/Mac/iOS/Android/Web)
  • Other recommended apps: Mail for Mac (macOS Mojave 10.14 and above), Mail app on iOS v11+
  • Supported on a best efforts basis: GNOME Evolution

Can I still manage my McGill mailbox from an external email application/service?

IMPORTANT: If you are using an email application other than Outlook, please refer to our list of supported mail applications. Many third-party email applications are not yet compatible with 2FA as they use Basic Authentication (username and password only). Due to a growing security risk, Microsoft, like other large email services, will soon be ending support for Basic Authentication. Once you enable 2FA, you will no longer be able to manage your McGill email using these applications. This also includes managing your McGill emails from external service providers like Gmail and Yahoo, however, your account will be much more secure. For more information, please contact the IT Service Desk.

What smartphone operating systems are supported?

iOS, Android, and Windows OS are currently supported by 2FA.  If your device uses a different operating system, please contact the IT Service Desk to discuss your options.

How do I change my account settings (e.g. change my phone number, etc.)?

Because your primary phone number and the Microsoft Authenticator app are probably on the same phone, it is important to set up a secondary number.  This will be the fastest way to get back into your account if your phone is lost or stolen.  In fact, it is strongly recommended to set up multiple authentication methods so that if one method becomes unavailable to you, you can choose to authenticate with another method.

For detailed instructions on adding and managing authentication methods, see the  IT Knowledge Base article: View and Modify 2FA and SSPR account settings.

What if I forget my mobile device at home/school/work?

It happens. You left your mobile device at home and now you can't use your phone to verify your identity. If you previously added another method to sign in to your account, such as your office phone, you should be able to use that method now. If you never added an additional verification method, you'll have to contact the IT Service Desk to have your account reset.

To sign in to your work or school account using another verification method:

  1. Sign in to your account normally and choose the Sign in another way link on the Two-factor verification page.
  2. If you don't see the Sign in another way link, it means that you haven't set up any other verification methods. You'll have to contact the IT Service Desk for help signing into your account.

What if my mobile device is lost or stolen?

If you've lost or had your mobile device stolen, you can either sign in using a different method (see FAQ above for instructions) or you can ask the IT Service Desk to clear your settings. We strongly recommend letting the IT Service Desk know if your phone was lost or stolen, so the appropriate updates can be made to your account. After your settings are cleared, you'll be prompted to register for 2FA the next time you sign in.

What if I get a new phone (with the same number)?

Instructions:

  1. Go to https://myprofile.microsoft.com
  2. On the "Security info" tab, click ""Update info".
  3. You will now see the list of authentication methods you set up when configuring 2FA. Next to "Microsoft authenticator" click "Delete".
  4. A window will appear asking "Are you sure you would like to delete this method?" Click "Ok".
  5. Go to https://portal.office.com/ and you should be redirected to a screen that says "More information required". Click "Next".
  6. You will now have the option to download the Microsoft Authenticator app. NOTE: If the data was transferred from your previous phone to your new one, the Microsoft Authenticator app should already be installed, just not connected to your 2FA account. If your data did not get transferred or was lost, you will need to download the Microsoft Authenticator app before proceeding. If you already have the app, click "Next".
  7. Open the Microsoft Authenticator app on your phone. If prompted, allow notifications. Then add an account, and select "Work or school".
  8. Use the Microsoft Authenticator app to scan the QR code. This will connect the Microsoft Authenticator app with your account. After you scan the QR code, choose "Next".
  9. Approve the notification sent to your phone by the app.
  10. Click "Next"on your desktop. Then click "Done".

What if I don't have a mobile phone?

Download Authy on your desktop or laptop.

How do I authenticate if I am traveling?

The Microsoft Authenticator App is recommended when you travel or need to access your McGill account while out of the country.

  • Get the app directly from the App Store (iOS) or Google Play Store (Android).
  • A push notification is sent to your device that you approve to verify your identity.
  • The app also generates a one-time authentication code every 30 seconds if the push notification is unavailable.
  • No internet connection or data are required.
  • The app is not tied to your phone number and will work if you need to purchase or rent a new SIM card.
  • No roaming fees (when using the MS Authenticator app)

If you are using text as the default authentication method, there are two ways to switch to the Authenticator app.  Note that Method 1 changes your default authentication method for all subsequent sign-ins, while method 2 allows you to use a different one-time method.

  1. Go to https://aka.ms/mfasetup. Next to Default sign-in method click Change and select Microsoft Authenticator - notification from the drop-down menu. NOTE: You must first add the Microsoft Authenticator as one of your preferred authentication methods (see arrow in screenshot below). To add it, click Add method and select Authenticator app from the drop-down menu.
    screenshot of authentication methodsscreenshot of drop down menu with authentication options
  2. When prompted to enter an authentication code select Sign in another way and choose Approve a request on my Microsoft Authenticator app or Use a verification code from my mobile app. NOTE: You must first install the Microsoft Authenticator app on your device.
    screenshot that highlights the sign in another way optionscreenshot highlighting other authentication options

What is Self-Service Password Reset (SSPR)?

Self-Service Password Reset (SSPR) is a Microsoft feature that provides 2FA users with the ability to reset their own password if they have forgotten it, or are locked out of their account.  You can reset your password using two of the authentication methods you set up when configuring 2FA, such as acknowledging a notification or text message sent to your mobile device.

NOTE: When you reset your password using SSPR you are resetting your McGill password that you use in conjunction with your McGill username.  This is the same password you use to login to your computer, Minerva, D2, etc. 

Can I have access to SSPR without opting in to 2FA?

No, you can only access SSPR if you have opted in to 2FA. SSPR is one of the benefits of opting in.

Will 2FA affect my Virtual Private Network (VPN) access?

IMPORTANT UPDATE: As of May 5, 2020, VPN access requires 2FA. Until you enable 2FA, you will receive an error message stating "Sorry, but we're having trouble signing you in" when attempting to connect.

VPN authentication steps for 2FA users:

Log in to the VPN using Cisco AnyConnect and press Connect.

You will be taken to a login form similar to the one used for connecting to Office 365. Enter your McGill username (firstname.lastname [at] mcgill.ca). If you are prompted to pick an account, select your McGill username.

The following screen will appear. Log in with your McGill username and password. 

You will be prompted for a second method of authentication, based on your 2FA default sign-in method.

Once you have authenticated, select Yes or No to choose whether you want to stay signed in.

Click Accept on the next screen to consent to the terms of using Cisco AnyConnect.

A screen will appear, confirming that you are now connected to the VPN.

 

2FA is supported by various resources including:

McGill IT Knowledge Base

Microsoft

  • Microsoft's website provides great resources and training support.

IT Service Desk

  • If you still need help, contact the IT Service Desk at itsupport [at] mcgill.ca or call 514-398-3398.
Back to top