Why do we need Multi-factor Authentication (MFA/2FA)?
- This is UBC requirement since Workday is requiring it starting May 1st 2020
- UBC is adopting this method of authentication that most other large institutions already use in order to better protect UBC against phishing, data breaches, and various security issues.
Who is required to use MFA/2FA?
- Anyone with an employee ID
- Undergraduate student DOES NOT require MFA. However, summer students working within the labs as an employee with an employee ID will have to use MFA
- Visitors – not required
Do people have to use a hardware token for MFA?
- Not required for MFA
- There are multiple ways to do MFA without a hardware token:
- UBC Office phone (phone call)
- Lab Phone (phone call)
- Personal phones (push, phone call, software OPT, or SMS depending on age/type of phone)
- Personal tablet (push or software OPT)
Are we going to maintain the hardware tokens as a department?
- Yes, but only for faculty and staff
- We will maintain half a dozen spares for faculty and staff in the event they lose one or it becomes defective
- Compstaff IT will hold onto the spares and take care of the distribution to faculty and staff
- ~80 faculty & 16 department staff with 6 spares
- Hardware tokens will be treated like digital keys. Faculty and staff will get sponsored tokens, but all research / lab members will have to go to the Bookstore if they want a hardware token.
What is the cost for the hardware tokens?
- Departmental Staff & Faculty (Sponsored): $8 One-Time Passcode (OTP) Type or $20 USB Type for faculty and staff (only offering OTP style)
- Lab Staff (Non-Sponsored): $10 OTP Type, $25 USB Type, or $25 OTP Type for Bookstore deposit (similar to a key)
- Note on purchasing hardware tokens for the department or as individual:
- Departmental requests are also done through the Bookstore. If managers are purchasing on behalf of their staff they can do so directly using their speedchart code.
- Units can place a departmental order with bookstore for 5+ via phone, or email order and Pay via JV, CC or P Card. (dept.sales@ubc.ca or 604-822-8547) and deliver via campus mail.
- Individuals will also be able to purchase online via the bookstore website with CC or P Card (No JV option online) but this is not setup yet.
Where do people get their hardware tokens?
- Department Staff and Faculty – Get them from Compstaff IT
- Compstaff IT will purchase the tokens from the Bookstore
- All lab personnel – Get them directly from the UBC Bookstore
Lost or stolen hardware tokens?
- Department Staff and Faculty – Contact Compstaff IT for replacement (use spares)
- Lab Staff – purchase another one from the UBC Bookstore Key Desk
Battery dies or OTP Type Hardware Token become defective?
- Department staff and faculty – Contact Compstaff IT for replacement
- Lab Staff - Visit the UBC Bookstore Key Desk for a replacement. Replacements for the tokens will be the responsibility of the user (including battery dying) unless the token is deemed defective for some reason. The OTP-type have a known battery life of 3-5 years but if a token stops working after a much shorter period of time we would be able to track that and get a new one to the user
What are the reasons for not covering everyone?
- Cost of maintaining that many hardware tokens for 400+ people is best managed by the UBC Bookstore
- Most people will use their personal phone due to convenience
- People can decide for themselves whether they want the hardware token or not and simply use their office/lab phone or personal phone
- The department avoids paying for tokens that are never used given that the majority of users will use their phone or other method of MFA
What happens when a researcher is remotely stuck without their phone or hardware token?
- Contact Compstaff IT or UBC IT for assistance
- We can issue a one-time passcode or time limited passcode for the duration they are away from Vancouver and/or their device/token
Do the One-Time Passcodes on Phones or Hardware Token require the Internet?
- No they work offline and simply generate a 6-digit number for you to enter at time of login
Which UBC services are going to require the MFA?
- Webmail Access
- FMIS Access
- HRMS Access
- Student System Access
- Web portals that use the Campus Wide Login (CWL) login screen
Will my email app on my phone or computer require I use MFA?
- No - only web portals asking for your Campus Wide Login (CWL) will prompt you
UBC Wireless (UBCSECURE) require MFA?
- No
UBC VPN or EOS VPN require MFA?
- UBC VPN – maybe, if you are signing into a specific VPN pool but depends on the department
- EOS VPN – no
EOAS Servers and EOAS Services required MFA?
- Not at this time
Which MFA device recommendations does Compstaff IT suggest?
- Register your personal mobile phone using Push / OTP / SMS in that order (depends on age and type of phone)
- Register you office phone or shared lab phone (not ideal but as a backup)
- Personal wifi-only tablets (you can opt to setup the Duo App on their personal tablet device – Android/iOS)
- OTP Token
- USB Token
What training options are available for staff?
- Everyone: Information sessions conducted by Compstaff IT at next Department meeting
- Lab Staff: 1-on-1 or by helpdesk FAQ, drop in training at Compstaff offices
- Department Staff: 1-on-1 training
- Faculty: 1-on-1 training
- Email education campaign for department similar to encryption
- EOAS Helpdesk website listing the various recommendations and resources for UBC MFA
- Info cards come with the token at point of purchase direct the user to contact UBC IT. There is not a kiosk. There will be targeted pop-up desks throughout the months of April and May however and users will be contacted directly by their admins about the times and locations of these booths that they can walk up to and receive assistance for anything eCWL related.
What are the deadlines for UBC’s MFA Requirement?
- Now – May 31 - We want all of the department staff and faculty on-boarded before they leave for summer
- Summer 2019 – we will continue to nag everyone in the department for those not on-boarded this Spring
- November 2019 – The deadline whenever everyone not MFA’ing is locked out