Multi-factor Authentication (MFA)
Updated: 11 March 2021 09:48 AM
What is MFA?
MFA is a highly effective cybersecurity measure, widely adopted in higher education and other sectors, that requires a user to prove their identity using another verification factor when logging into a service and adds an extra layer of security to your OCAD U account.
Verifying your identity using a second factor (like your phone or other mobile device) prevents cyber-criminals from accessing your account, even if your password has been compromised.
The first step is to register with MFA service. You will need to to have access to both your computer and your mobile phone. Register by visiting the Microsoft My Sign-Ins site on your computer and follow the steps to complete the registration.
This process requires the installation of Microsoft Authenticator on your mobile phone (detailed below). Some users may already have Authenticator for other services outside of OCAD U. The process for new users and existing users of Authenticator are slightly different. Both are documented below. The video below shows the process for first-time users of Microsoft Authenticator.
Once you are registration is complete, your MFA will be enabled within 24-48 hours when you will be automatically prompted on your phone via the new app. If you are interested in learning more about MFA, check out this Microsoft article.
It is considered a best practice to have another device with Authenticator. This device could be another phone or tablet. Having a second device configured protects you in the event your primary device is lost or damaged.
Why my phone?
MFA is an authentication method that requires proving two things--a thing you know, and a thing you have. The thing you know is your password. The thing you have is your phone (set up with Authenticator and registered as a multi-factor authentication proof.)
I do not use a personal device for work at OCAD U and I do not have an OCAD U mobile phone.
The Microsoft Authenticator application is an industry standard form of protection that attaches your account to a device you own, providing a second factor of authentication to your password. It only exists to confirm your identity with something that is owned and accessed by you and you alone to ensure that it is you signing into your account. You can also use Microsoft Authenticator to enable and use MFA for protecting personal accounts (e.g. Facebook and Gmail) in addition to your work account which is highly recommended.
I do not feel comfortable with having an OCAD U application on my phone or access to my personal device.
The Authenticator app is not owned or controlled by OCAD U. It is simply an application that verifies you are the one accessing your account at any given time and is utilized in this manner by many institutions globally.
How do I know if my device will work with the application?
The Authenticator app will always work on a device that is still supported by its manufacturer and is still receiving current operating system updates. It is a lightweight application (~144 MB) and downloadable from the app store for your device. t will work with smartphones and tablets running iOS (11.0 or higher) and Android (6.0 or higher). You can register multiple devices with Authenticator.
Does this mean I will need to pick up my device constantly throughout my work day?
No. You only need to verify your identity once per work session by logging in to https://my.ocadu.ca. For instance, once in the morning and once in the afternoon.
If my device is lost or stolen does that mean I need to report it to OCAD U and that I can’t access my account?
For your own protection, you would report the device stolen to police, your employer, and any other sites/services you are using MFA with so that the device can be removed from being associated with your account(s). This would apply whether you are using MFA or not. You would also consider using features provided by phone manufacturers to remotely wipe your device to protect your personal data. Learn more about how you can remotely wipe your device for Android or iOS. In order to continue your work, OCAD U IT would provide a bypass until such time as you receive a new device.
You can remove the lost device from your OCAD U account on the Microsoft My Sign-Ins site.
We strongly recommend that you add a secondary device to help prevent being locked out of your account if your phone is lost or not with you.
Are there any alternatives to using my device for MFA?
Not at this time. Should you have concerns or questions regarding this please contact firstname.lastname@example.org
Note: MFA is mandated by the OCAD U executive and the Audit, Finance and Risk Committee (AFRC) as a requirement for all OCAD U employee accounts.
Which services are MFA enabled?
Currently Microsoft 365, my.ocadu.ca and other Single Sign-On services including Canvas are enabled with MFA. VPN service for staff also requires MFA.
Why doesn't the Authenticator app prompt me when I sign in?
Why am I prompted again when I have already signed in to 365.ocadu.ca?
Login to https://my.ocadu.ca first to insure the authentication is recorded across other applications.
Mail client (Android mail or Apple mail) stopped working after MFA is enabled. What can I do?
Along with MFA service, legacy authentication clients including Android mail and older version of Apple mail are disabled for OCADU services. Outlook app is the only fully supported app for OCADU users.
The image above is the login screen for personal accounts and will not recognize your OCADUid. A work or school account is required. See below to add a work or school account.
It is recommended that you remove and install Outlook app to sync with 365 when MFA is activated.
Phone: 416-977-6000 x 277