Multi-factor Authentication (MFA)

This article provides a broad overview of Multi-factor Authentication (MFA) and how it is used to secure university systems and information. This is meant for all North Central students, staff, and faculty.

In this article

• Overview
• Benefits of MFA
• How does MFA work?
  • Limitation on International Access
• MFA at NCU

Overview

Multi-factor authentication (MFA) is used to ensure that digital users are who they say they are by requiring that they provide at least two pieces of evidence to prove their identity. Each piece of evidence must come from a different category: something they know, something they have or something they are.  

If one of the factors has been compromised by a hacker or unauthorized user, the chances of the other factor also being compromised are low, so requiring multiple authentication factors provides a higher level of assurance about the user’s identity. 

MFA is crucial in securing your account and NCU data and services.

What are the benefits of multi-factor authentication? 

Passwords are the most common way to authenticate your online identity, but they increasingly provide very little protection. Once a password is stolen, hackers can use those credentials to log into many applications and NCU systems, bypass other access controls and wreak serious havoc on our campus operations. 

 Multi-factor authentication provides a layer of protection for both employees and students that addresses these weaknesses. It diminishes the ripple effect of compromised credentials; a bad actor may steal your username and password, but if they’re prompted for another factor before they can access critical data, make a transaction or log into your email, they are stopped in their tracks. 

MFA can also be a key requirement when it comes to complying with certain federal or industry regulations. For example, several federal governing bodies are now, or soon will be requiring MFA be implemented in certain situations to prevent unauthorized users from accessing systems that process payment transactions, contain financial or FERPA or HIPPA protected information. It’s also a key part of meeting strong authentication requirements dictated by recent changes to the GLBA safeguards and is requirement for NCU to receive grants via several federal entities such as the Department of Defense (DOD).   

How does multi-factor authentication work? 

A user's credentials must come from at least two of three different categories, or factors. Two-factor authentication, or 2FA, is a subset of MFA where only two credentials are required, but MFA can use any number of factors.  In short, something you know, something you have, and something you are. 

• Something you know (knowledge) The most common example of this factor is, of course, the password, but it could also take the form of a PIN, or even a passphrase--something only you would know.  Some organizations may also set up knowledge-based authentication like security questions (e.g., "What is your mother's maiden name?"), but basic personal information can often be discovered or stolen through researching social media sites and phishing which makes it less than ideal as an authentication method on its own. 
• Something you have (possession) It's much less likely that a hacker has stolen your password AND stolen something physical from you, so this factor confirms that you are in possession of a specific item. This category includes mobile phones, physical tokens, key fobs and smartcards.  There are a few ways that this authentication works, depending on the item, but some common methods include confirming via a mobile app or pop-up notifications from your mobile phone, typing in a unique code generated by a physical token, or inserting a card (e.g., at an ATM). 
• Something you are (inheritance) This factor is commonly verified by a fingerprint scan on a mobile phone, but also includes anything that would be a unique identifier of your physical person--a retinal scan, voice or facial recognition, and any other kind of biometrics. 

Adaptive MFA

Adaptive MFA is an advanced form of multi-factor authentication that evaluates multiple risk factors and behaviors of each individual access request.

Adaptive authentication works by creating a profile for each user, which includes information such as the user’s geographical location, registered devices, role, and more. Each time someone tries to authenticate, the request is evaluated and assigned a risk score. Depending on the risk score, the user may be required to provide additional credentials or, conversely, allowed to use fewer credentials.

For example, if a user logs in from a geographical location that the system doesn't recognize, the user might see an MFA prompt. 

Conditional Access

Conditional access is a set of polices that the university utilizes to require MFA based on a set of pre-set criteria. For example, criteria may include: accessing specific application, access request from specific locations, access requests during specific time frames, user role, user type, and many other factors.

Limitation on International Access

Currently, for employees, MFA access is restricted outside the US.  To request access, a MFA travel exception request must be submitted one week before the date of needed access.  Please see the MFA travel exception request service for more information.

MFA in practice at NCU

The university is currently using the “Something you know” and “Something you have” methods of MFA for many of its systems and services -- especially where users may be accessing personal, financial, FERPA or HIPPA protected data.  MFA is required for all sites and services that utilize the university Single Sign On.  This includes, but is not limited to:

• Colleague
• Salesforce
• University email
• VPN
• Canvas
• Sharepoint
• Teams
• and more! 

Additionally, NCU leverages both Adaptive MFA and Conditional Access.

Requesting assistance

To request assistance with MFA or the Microsoft Authenticator, click  Report MFA Issue. Submit a separate form for each person that needs changes to their existing account.