- Get help
- Services
- Announcements & alerts
- Service outages
- Security alerts
- Major initiatives
- Jovanna Sauro wins SFU Personal Achievement Award
- Improve your cellular coverage by enabling WiFi Calling
- New committee guides transformative changes at SFU
- Expanded identity options for students within SFU applications
- SFU works toward keeping devices out of landfills
- A journey to improved WiFi
- Help us, help you, connect to better WiFi
- IT Services' new support system: ServiceHub
- Information Security Essential Courses
- IT Services leadership announcement
- University Wide Password Change Initiative
- April 2021 technical issue
- Telephone System Core Infrastructure Upgrade
- Decommissioning fraser.sfu.ca
- About
- Information security
- Anti-Spam (CASL) Compliance
- Data security standard
- Desktop Security
- Security and Privacy Guidance: Social Media Apps
- Identity Protection
- Phishing Scams
- How to stay safe online
- Security hygiene
- Tips for safe computing
- Travelling with technology
- Keeping Your Personal Information Safe During the Holidays
- Don't get caught by a phishing scam
FAQ
This page has information on the following FAQs:
Who needs to set up MFA?
MFA enrollment is required for the following SFU computing accounts:
- Faculty and staff (including TAs and RAs)
- New SFU students (required to enroll in MFA by the end of your first semester)
- Sponsored accounts
- Retirees
We are aware that sponsored accounts are currently used to meet a variety of business needs.
To help you determine next steps for your sponsored account, please refer to sponsored account MFA page for detailed instructions on enrolling in MFA.
I don’t have, or I am unable to use a mobile device for MFA. What can I use instead?
If you do not have a mobile device or do not wish to use one for MFA, using a hardware token would be an alternative. A hardware token is a small device that displays the 6-digit code for logging into MFA. Please visit the Set up MFA page for more information.
Note: Hardware tokens should not be used for backup purposes. There are dedicated emergency login codes that serves as a backup if your mobile device is left at home, lost, or runs out of battery.
HOW WILL MFA CHANGE THE WAY I SIGN INTO SFU SYSTEMS?
With MFA, you will start by signing into SFU applications with your SFU Computing ID and password as you currently do. Next, you will be asked to type in the 6-digit MFA code (changes every 30 seconds) that you see on your MFA device (e.g., mobile device/hardware token).
- There is also the option of “remembering” your MFA sign-in for 7 days.
- Note: Remember to keep your MFA device nearby to sign in using the 6-digit MFA codes. You should only use your 8-digit emergency login codes as the last resort.
Can I enroll both a hardware token and mobile device?
Yes, however, we recommend following best practices outlined at multi-device registration.
Will my MFA experience differ when I am travelling?
Your MFA experience should not differ in any way when you are travelling. You will continue to be prompted every day, or every 7 days, depending on whether you have set MFA to remember you.
There are 2 types of codes you would encounter when using MFA:
MFA code
- A 6-digit code that refreshes every 30 seconds on your mobile device or hardware token.
- MFA codes are used for daily logins.
Emergency Login Codes
- A set of 8-digit codes that are generated during your MFA setup and can be located in the SFU MFA Management App.
- Emergency logins codes are only used when you do not have access to your usual MFA codes (e.g., forgot/lost/broke your mobile device or hardware token).
How do I start using my MFA login? How do I retireve my MFA login codes?
To log in with MFA, you’ll enter your username and password as you currently do, and then type in the 6-digit MFA code (changes every 30 seconds) that you see on your MFA device (e.g., mobile device/hardware token).
- There is also the option of “remembering” your MFA sign-in for 7 days.
- Note: Remember to keep your MFA device nearby to sign in using the 6-digit MFA codes. You should only use your 8-digit emergency login codes as the last resort.
How often will I be prompted for MFA?
By default, you will be prompted for your MFA code every time you log into a CAS-protected SFU web application.
If you do not want to be prompted for MFA every time you log in, you may select the “Remember me on this browser for 7 days” checkbox just below the MFA code field.
- Upon successful sign-in, you will not be prompted for a MFA code for seven days on those browsers and devices/computers where you authenticated to “remember” your MFA sign-in.
- This functionality allows each authenticated device/browser combination to maintain and "remember" your MFA authorization for 7 days.
Please note that you will be prompted for MFA if you perform any of the following actions:
- Log in using a different browser and device than the ones you previously authenticated to “remember” your MFA sign-in,
- Clear your browsing history and/or cookies,
- Enable the browser to "clear cookies and site data when you close all windows",
- Log in under “incognito mode” or “private mode” on your browser, or
- Log in using the same device and browser after seven days since your last MFA sign-in.
Note: To view and/or remove the browsers you’ve allowed to “remember” your MFA login, please visit the SFU MFA Management App.
What does the “Remember me on this browser for 7 days” checkbox do?
If you do not want to be prompted for MFA every time you log in to a web application, you may check this checkbox to have your browser remembered for 7 days. To view and/or remove the trusted browsers you authenticated to "remember me for 7 days", please visit SFU MFA Management App.
Please note that you will be prompted for MFA if you perform any of the following actions:
- Log in using a different browser and device than the ones you previously authenticated to “remember” your MFA sign-in,
- Clear your browsing history and/or cookies,
- Enable the browser to "clear cookies and site data when you close all windows",
- Log in under “incognito mode” or “private mode” on your browser, or
- Log in using the same device and browser after seven days since your last MFA sign-in.
Why was "7 days" chosen as the time period for the browser to remember me?
"7 days" was chosen as the time period to remember a browser authentication because it's an option that balances between security and convenience.
The most secure option would be to authenticate every login, which is the default settings if the "Remember me on this browser for 7 days" checkbox is not selected. The more convenient option would be to authenticate every 30 days, where some institutions have chosen this option. However, this option would bring convenience at the cost of security.
This time period is also frequent enough so that it could be easily incorporated into a regular routine (e.g., Tuesday is my MFA day).
Why does my 6-digit MFA code change every 30 seconds?
TOTP (Time-Based One-time Passcode) protocol for multi-factor authentication requires a time-based (30 second) code that the user must enter. It changes every 30 seconds to maximize security.
How do I securely store my emergency login codes?
Keep your emergency login codes safe by following these important tips:
- Store your emergency login codes in a safe, accessible place nearby you, such as your wallet.
- Do not store your emergency login codes on CAS-protected services such as your SFU Mail account, as you won't be able to access them if you don't have your phone or hardware token.
- Never share your emergency login codes with anyone.
- You can generate new emergency login codes at any time by going to the SFU MFA Management App.
In the case where you don't have your phone or hardware token with you, you can use one of your emergency login codes for access to your SFU account.
- Where to locate your emergency login codes: When you first set up multi-factor authentication, you will be given a list of one-time emergency login codes. Ensure to print/write them down and store them in a safe, accessible place, such as your wallet.
- If you have already gone through the MFA setup process and missed the opportunity to print/write down the list of emergency login codes for safekeeping, be sure to sign into the SFU MFA Management App to retrieve or generate new emergency login codes before you come across a scenario of not having your mobile device/hardware token with you.
Do I need to have cellular service or data coverage to use the MFA Applications?
No; Aside from the initial app download, TOTP MFA applications do not require any internet connection, cell service, or data coverage to display the MFA codes.
Note: TOTP (Time-based One-time Password) protocol for multi-factor authentication requires a time-based (30 second) code that the user must enter. It changes every 30 seconds to maximize security.
No; SFU’s MFA service is built and hosted at SFU and does not collect personal information. In addition, the recommended mobile app, LastPass Authenticator, does not collect personal information.
How it works: When you scan the QR code with your mobile app as part of the initial MFA setup, the app is obtaining a secret key from SFU’s MFA servers from which your MFA login codes will be generated.
- From that point onward, there is no MFA-related communication made from your mobile app. Your mobile app only relies on your mobile device’s time and the secret key for the MFA login code generation every 30 seconds.
- This is also why the app does not require cellular service nor an internet connection to function.
Note: SFU recommends LastPass Authenticator because of the benefits it provides to users, but we are not affiliated with LastPass Authenticator or any third-party MFA applications. You are free to choose any of the MFA mobile apps that support the TOTP protocol.
Why is LastPass Authenticator recommended?
We recommend LastPass Authenticator because:
- It's free to use,
- It does not collect personal information (only requests file permissions for storing your MFA locally, and camera permissions for scanning QR code),
- It does not require an internet connection to function (aside from the initial app download), and
- It's reputable and well-known MFA mobile app.
Note: SFU recommends LastPass Authenticator because of the user benefits described above, but we are not affiliated with LastPass Authenticator or any third-party MFA applications. You are free to choose any of the MFA mobile apps that support the TOTP protocol.
I already have an app that does MFA, can I use that?
Applications that support the TOTP protocol will work for MFA at SFU. If you already have a MFA application that you are using for other services, you may continue to use that application for MFA at SFU as well.
Note: SFU recommends LastPass Authenticator because of the benefits it provides to users, but we are not affiliated with LastPass Authenticator or any third-party MFA applications. You are free to choose any of the MFA mobile apps that support the TOTP protocol.
*TOTP (Time-based One-time Password) protocol for multi-factor authentication requires a time-based (30 second) code that the user must enter. It changes every 30 seconds to maximize security.
Can use a tablet or other mobile device that is not a smartphone for MFA?
Any "smart device", such as iPad or Android tablet, can be used to run an MFA application.
Note: MFA applications do not require any cell service or data coverage to work, but you will need internet access when you first download the application onto your device.
I've recently acquired a new mobile device. What do I need to do?
To change the mobile device you use for MFA, please follow the instructions outlined on the Add or Remove MFA Devices or Apps page.
how do I obtain a hardware token?
Please select one of the two options below:
- For students, alumni, retirees and sponsored accounts who are unable to or cannot use a mobile device for MFA, hardware tokens are available for purchase at the SFU Bookstore either in-store or online.
- For staff and faculty accounts, please visit Request a Hardware Token.
Can hardware tokens be mailed outside of Canada?
Yes, hardware tokens are sent via Canada Post Lettermail™. Please note that due to COVID-19 restrictions, there may be additional delays to international shipping.
Can I have someone else to pickup the hardware token on my behalf?
If you are purchasing a hardware token from the SFU Bookstore, yes. Hardware tokens are tied to a specific user upon purchase.
If you are a staff or faculty requesting a hardware token, token pickups may be available based on staffing and location. When submitting a request, please comment on token pickup availability.
Can I get a new hardware token if I lose mine?
To replace a lost hardware token, see the two options below:
- For students, alumni, retirees and sponsored accounts, a new hardware tokens will need to be purchase at the SFU Bookstore either in-store or online.
- For staff and faculty accounts, please visit Request a Hardware Token.
Note: If you have lost your hardware token, use your MFA emergency codes to log into your account while obtaining a replacement hardware token or switch to mobile.
Can I use my personal hardware token (OTP token device) instead of requesting one?
No, since the hardware tokens are pre-programmed to your SFU account before giving it to you, using your own or personal hardware tokens will not be compatible with our systems.
How long will the battery last on my token?
The battery life of hardware tokens are expected to last at least around 4 to 5 years.
Why is my browser not remembering my MFA login for 7 days?
By checking off the "Remember me on this browser for 7 days" checkbox at the login page, you can set your browser on a specific device to remember your MFA login for 7 days.
The following are some common reasons as to why a browser may fail to remember your MFA login for 7 days:
- Clear your browsing history and/or cookies,
- Enable the browser to "clear cookies and site data when you close all windows",
- Log in under “incognito mode” or “private mode” on your browser,
- Log in using a different browser and device than the ones you previously authenticated to “remember” your MFA sign-in, or
- Log in using the same device and browser after seven days since your last MFA sign-in.
To view and/or remove the trusted browsers you authenticated to "remember me for 7 days", please visit SFU MFA Management App.
If your browser still doesn't remember your MFA login for 7 days, your browser may have outdated MFA cookies. Follow these steps to remove existing MFA cookies:
- Visit the SFU MFA Management App and select "Trusted Browsers" tab,
- Remove all your trusted browsers by clicking on the Trash Bin,
- Clear your browsing history and/or cookies.
For additional assistance, please contact your department’s IT staff or the IT Service Desk.