Getting started with 2FA

Why do I need 2FA?

Security attacks are growing in complexity. Hackers are always looking for security weaknesses, and weak or stolen passwords remain their primary entry point. Passwords alone are no longer enough, so 2FA is more important now than ever. With 2FA, even if someone has your password, chances are they don't have your device also.

Is 2FA required?

Yes, 2FA is required for all McGill accounts. As of January 2020, all new McGill accounts are automatically enabled with 2FA. Throughout 2021, all remaining student, staff, and faculty accounts were enabled with 2FA.

When will I be prompted to authenticate with 2FA?

In our ongoing efforts to ensure maximum security, we have changed the frequency of authentication prompts. Users will no longer be prompted to authenticate every 60 days. There will no longer be a prompt check box that says, "Don't ask again for 60 days." 

It is important to note that accessing applications with different levels of security tasks will require different authentication frequency prompts:

Security level	Authentication frequency
Low	Every 30 days
Medium	Weekly
High	Daily
VPN authentication	Per use

This applies to all staff, faculty, and students working at McGill, regardless of whether a user is on or off campus.

These measures are crucial in protecting our digital ecosystem. 

Why is app-based authentication (e.g., Microsoft Authenticator) more secure than text-based?

When SMS (texting) and voice protocols were developed, they were designed without encryption, meaning signals can be intercepted in various ways. Hackers can trick mobile carriers into redirecting a phone number to a new device, which is known as a SIM swap. Once a hacker has redirected your phone number, they no longer need your physical phone to access your 2FA authentication codes. If you sync your text messages with your laptop or tablet, a hacker could access your texts by stealing your device.

An authentication app like Microsoft Authenticator is safer because it doesn’t rely on your mobile carrier. The codes are in the app and expire quickly, usually within 30 seconds. An authentication app is also faster because you only need to tap a button to verify your identity instead of manually entering a six-digit code.

What mobile device operating systems are supported?

2FA currently supports iOS, Android, and Windows OS. Please contact the IT Service Desk to discuss your options if your device uses a different operating system.

What if I don't have access to a landline, cellphone, smartphone or tablet?

Download OneAuth on your desktop or laptop. If this is not an option, contact the IT Service Desk.

What email applications are supported for use with 2FA?

2FA requires email applications that support Modern Authentication, such as Outlook. See the Index of setup instructions of McGill email for information on supported email applications and devices.

Can I still manage my McGill mailbox from an external email application/service?

IMPORTANT: Staff and faculty are not allowed to forward McGill email to a non-McGill email service; this would violate the Policy on the Responsible Use of Information Technology Resources. For more information, see the IT Knowledge Base article Options for dealing with multiple email services.

What is Self-Service Password Reset (SSPR)?

Self-Service Password Reset (SSPR) is a Microsoft feature that provides 2FA users with the ability to reset their password if they have forgotten it or are locked out of their account. You can reset your password using two authentication methods you set up when configuring 2FA, such as acknowledging a notification or text message sent to your mobile device.

NOTE: When you reset your password using SSPR, you reset the McGill password you use in conjunction with your username. This is the same password you use to log in to your computer, Minerva, D2, etc.

---

2FA account settings, issues, and other questions

How do I change my 2FA account settings?

Because your primary phone number and the Microsoft Authenticator app are probably on the same phone, setting up a secondary number is important. This will be the fastest way to get back into your account if your phone is lost or stolen. It is strongly recommended to set up multiple authentication methods so that if one method becomes unavailable to you, you can choose to authenticate with another method.

For detailed instructions on adding and managing authentication methods, see the IT Knowledge Base article: View and Modify 2FA and SSPR account settings.

I received a Microsoft Authenticator app notification, and I was not trying to log in.

If you receive an Authenticator app notification when you are not in the process of logging in, it may be coming from a secondary device (e.g., a device that your spouse or child is logging into). If you are unaware of someone authorized to log into a secondary device, select "Deny" to protect your account and report it to the IT Service Desk immediately.

What if I forget my mobile device at home, school, or work?

It happens. You left your mobile device at home, and now you can't use your phone to verify your identity. If you previously added another method to sign in to your account, such as your office phone, you should be able to use that method now. Otherwise, you'll have to contact the IT Service Desk to have your account reset.

To sign in to your work or school account using another verification method:

1. Sign in to your account normally and choose the Sign in another way link on the Two-factor verification page.
2. If you don't see the Sign in another way link, you haven't set up other verification methods. You'll have to contact the IT Service Desk for help signing into your account.

What if my mobile device is lost or stolen?

If you've lost or had your mobile device stolen, you can either sign in using a different method (see FAQ above for instructions) or ask the IT Service Desk to clear your settings. We strongly recommend letting the IT Service Desk know if your phone was lost or stolen so that the appropriate updates can be made to your account. After your settings are cleared, you'll be prompted to register for 2FA the next time you sign in.

What if I get a new device but keep the same number?

If text is your primary authentication method, no action is required.

If Microsoft Authenticator is your primary 2FA authentication method, you will need to take the following steps:

1. Go to https://myprofile.microsoft.com
2. On the Security info tab, click Update info.
3. You will now see the list of authentication methods you set up when configuring 2FA. Next to Microsoft Authenticator, click Delete.
4. A window will appear asking Are you sure you would like to delete this method? Click Ok.
5. Go to https://portal.office.com/ and you should be redirected to a screen that says More information required. Click Next.
6. You will now have the option to download the Microsoft Authenticator app. Note: If the data was transferred from your previous phone to your new one, the Microsoft Authenticator app should already be installed, just not connected to your 2FA account. If your data was not transferred or lost, you must download the Microsoft Authenticator app before proceeding. If you already have the app, click Next.
7. Open the Microsoft Authenticator app on your phone. If prompted, allow notifications. Then add an account, and select Work or school.
8. Use the Microsoft Authenticator app to scan the QR code. This will connect the Microsoft Authenticator app to your account. After you scan the QR code, choose Next.
9. Approve the notification sent to your phone by the app.
10. Click Next on your desktop. Then click Done.

What if I change my number but keep the same mobile device?

If Microsoft Authenticator is your primary 2FA authentication method, no action is required.

If text is your primary 2FA authentication method, you must update your 2FA authentication methods before your number is changed. Once the old number is gone, you will not be able to authenticate with 2FA if the old number is still associated with your account. Since you may not know what your new number will be, you have a few options:

1. You can select another option as your primary authentication method (e.g., Microsoft Authenticator app).
2. You can assign another number temporarily, either another mobile device or a home phone.

For instructions on modifying your authentication methods, see the IT Knowledge Base article View and modify 2FA and SSPR account settings.

How do I authenticate when I am traveling?

The Microsoft Authenticator App is recommended when you travel or need to access your McGill account while out of the country. Get the app directly from the App Store (iOS) or Google Play Store (Android). The app does not require an internet connection or data. There are no roaming fees when using the app.

The Microsoft Authenticator App will:

• Verify your identity by sending a push notification to your device for you to approve
• Generates a one-time authentication code every 30 seconds if the push notification is unavailable
• Work if you need to purchase or rent a new SIM card.

If you are using text as the default authentication method, there are two ways to switch to the Authenticator app. Note that Method 1 changes your default authentication method for all subsequent sign-ins, while Method 2 allows you to use a different one-time method.

To switch to the Authenticator app:

1. Go to https://aka.ms/mfasetup.
2. Next to Default sign-in method click Change and select the Microsoft Authenticator notification from the drop-down menu. NOTE: You must first add the Microsoft Authenticator as one of your preferred authentication methods (see arrow in screenshot below). To add it, click Add method and select Authenticator app from the drop-down menu.
   
   
   
   
3. When prompted to enter an authentication code, select Sign in another way and choose Approve a request on my Microsoft Authenticator app or Use a verification code from my mobile app. Note: You must first install the Microsoft Authenticator app on your device.
   
   

---