Multi-Factor Authentication (MFA) is an authentication method in which you must successfully complete at least two steps (factors) to gain access. These factors could be something you know (your username and password), something you are (such as your fingerprint, facial recognition or iris scan), something you have (such as hardware tokens or the device you are working on) or your location (you can only access from a specific location).
The VUB opts for two-factor authentication (2FA), MFA with 2 factors/steps. In the first step you enter your username and password. In the second step you must perform an additional action. This can be entering a second key, for example, a received SMS code or a code received or created by a linked app on your smartphone, or merely confirming the login request on such a linked app.
In most cyber-attacks, some even suspect in 95% of cases, weak or stolen credentials are exploited. The most efficient defense against this is 2FA. If your password is compromised, the cybercriminal cannot immediately misuse your password because it also needs the 2nd factor.
This also brings compliance with legislation closer. For example, the General Data Protection Regulation (GDPR) requires that the protection of sensitive personal data is optimized. 2FA is a major step in this direction.
Also 2FA is not 100% safe from cybercriminals. For example, you can still be misled by a fake website on which you log in 2FA. The cybercriminal has thus obtained both factors and can use them to log in. SMS messages with which the 2nd factor is sent can also be intercepted by means of SIM cloning (a duplicate of your phone is made, on which copies of all your text messages are added). For the latter reason, 2FA via text messages is best avoided.
Not all VUB applications support this 2FA security yet. Canvas, Office 365, TEO are already protected by 2FA. Cali, Pure, RACS are examples of applications that currently do not support this 2FA security (but we are working on it!).
Despite these limitations, 2FA remains the simplest and most efficient protection against compromised password misuse, and 2FA is therefore regarded as a minimal authentication protection.
2FA is automatically activated for every VUB account. Thus including temporary accounts, accounts for external parties, circle of friends and emeriti accounts.
Please note, 2FA is not optional at the VUB, there are no exceptions.
The impact on your daily operation is minimal. You do not have to log in more than before, the only difference is that you now also use a 2nd factor.
The way Outlook, the standard VUB e-mail client, functions does not change after activating your 2FA. If you use another email client, it will not respond differently because email clients that do not support OAuth2 (required for MFA) have already been blocked.
The simplest method is to use the Microsoft Authenticator on your smartphone. You can use another authenticator, but then a special setup is required (Google your selected authenticator for setup guidance). The ICT Service Desk only supports installation/usage of the Microsoft Authenticator.
You can also obtain a login code via a telephone number. You can enter three numbers for this: ‘Phone’, ‘Alternate phone’ and ‘Office phone’. It is possible to enter your mobile number, this then gives you the additional option to receive your login code via SMS (this is regarded as less safe, only to be used as a backup).
Another option is to use a physical token. This will be USB connected to your laptop and serve as a 2nd factor. Do note, these physical tokens are not delivered centrally. However, installation and use of a token from the YubiKey 5 Series [1] is supported by the VUB helpdesk. Do you prefer another security key, check first if that one is supported by Microsoft’s authentication.
You are strongly advised to activate multiple options so that you always have a backup option if your default option is not available.
Obtaining a login code via e-mail is not possible.
[1] YubiKey 5 NFC (USB A) and YubiKey 5C NFC (USB C) have been tested and are recommended.
Your Outlook access will still work, so you can still access your email. Even if you have documents on your OneDrive and you have set up a sync with your laptop, it will continue to work. This because for both you do not have to log in every time (2FA does not change when you have to log in).
However, if you want to use O365 online, or one of the 2FA login protected applications, you cannot do this. That is why it is recommended to activate more than one 2nd factor option so that you always have a backup.
If your mobile phone is broken and you insert your SIM card into another device, you no longer have access to the authenticator linked to your account. That is why it is recommended to enter your mobile phone number as a telephone number. You can then get this other device either via voice (spoken voice) or via SMS a login code (but less secure).
You can also contact the ICT Service Desk, they can reset 2FA. As a result, you will have to set up 2FA again at first login. Of course, this scenario only works in certain scenarios (e.g., mobile phone broken/lost/stolen and new mobile available to set up 2FA).
Note: the challenge here is that the ICT Service Desk must identify you. A ticket must be created in Service Now. If you do not have access to your VUB e-mail (none VUB e-mails are not accepted for this), have a colleague create the ticket. This colleague is then responsible for the positive identification of your identity.
MFA is the most efficient defense against misuse of a compromised password. If a cybercriminal tries to log in with the compromised password, the user will receive a 2nd MFA factor confirmation question. This is of course not answered and the cybercriminal is denied access.
If you suddenly get multiple MFA confirmation questions, take immediate action and change your password here. Don’t let the amount of MFA requests tempt you to approve one anyway, you’ll give the cybercriminal access to your account.
For those who use the Microsoft Authenticator app on their smartphone, additional information is shown on the confirmation screen: the application you are trying to log in to and the location from which you log in (note, this is the location where your provider goes on the internet, not where you are – for example, a login in Leuven can give you West Flanders as a location, as long as you have a Belgian location, you’re good).
2FA is automatically (mandatory) activated for VUB employees and VUB students.
More info on Service-Now.
Applications such as WhatsApp, Facebook, Linkedln, and many others support MFA. Search in the settings or Google “MFA + name of the application” to find out how to activate it.
Why not take a look at this list of the most common platforms that allow two-factor authentication?
Any questions? Contact the ICT Service Desk via Service Now or via e-mail to helpdesk@vub.be.
Last update: 10/02/2024
What is two-factor authentication? (Safeonweb.be) – 0:49
How do you enable two-factor authentication (2FA)? (Safeonweb.be) 0:44
A link not working? Send an email to helpdesk@vub.be.