FAQ

MFA enrollment is required for the following SFU computing accounts:

• Faculty and staff (including TAs and RAs)
• New SFU students (required to enroll in MFA by the end of your first semester)
• Sponsored accounts
  
• Retirees

We are aware that sponsored accounts are currently used to meet a variety of business needs.

To help you determine next steps for your sponsored account, please refer to sponsored account MFA page for detailed instructions on enrolling in MFA.

If you do not have a mobile device or do not wish to use one for MFA, using a hardware token would be an alternative. A hardware token is a small device that displays the 6-digit code for logging into MFA. Please visit the Set up MFA page for more information.

Note: Hardware tokens should not be used for backup purposes. There are dedicated emergency login codes that serves as a backup if your mobile device is left at home, lost, or runs out of battery.

With MFA, you will start by signing into SFU applications with your SFU Computing ID and password as you currently do. Next, you will be asked to type in the 6-digit MFA code (changes every 30 seconds) that you see on your MFA device (e.g., mobile device/hardware token).

• There is also the option of “remembering” your MFA sign-in for 7 days.
• Note: Remember to keep your MFA device nearby to sign in using the 6-digit MFA codes. You should only use your 8-digit emergency login codes as the last resort.

Yes, however, we recommend following best practices outlined at multi-device registration.

Your MFA experience should not differ in any way when you are travelling. You will continue to be prompted every day, or every 7 days, depending on whether you have set MFA to remember you.

There are 2 types of codes you would encounter when using MFA:

MFA code

• A 6-digit code that refreshes every 30 seconds on your mobile device or hardware token.
• MFA codes are used for daily logins.

Emergency Login Codes

• A set of 8-digit codes that are generated during your MFA setup and can be located in the SFU MFA Management App.
• Emergency logins codes are only used when you do not have access to your usual MFA codes (e.g., forgot/lost/broke your mobile device or hardware token).

To log in with MFA, you’ll enter your username and password as you currently do, and then type in the 6-digit MFA code (changes every 30 seconds) that you see on your MFA device (e.g., mobile device/hardware token).

• There is also the option of “remembering” your MFA sign-in for 7 days.
• Note: Remember to keep your MFA device nearby to sign in using the 6-digit MFA codes. You should only use your 8-digit emergency login codes as the last resort.

By default, you will be prompted for your MFA code every time you log into a CAS-protected SFU web application.

If you do not want to be prompted for MFA every time you log in, you may select the “Remember me on this browser for 7 days” checkbox just below the MFA code field.

• Upon successful sign-in, you will not be prompted for a MFA code for seven days on those browsers and devices/computers where you authenticated to “remember” your MFA sign-in.  
• This functionality allows each authenticated device/browser combination to maintain and "remember" your MFA authorization for 7 days. 

Please note that you will be prompted for MFA if you perform any of the following actions:

• Log in using a different browser and device than the ones you previously authenticated to “remember” your MFA sign-in,
• Clear your browsing history and/or cookies,
• Enable the browser to "clear cookies and site data when you close all windows", 
• Log in under “incognito mode” or “private mode” on your browser, or
• Log in using the same device and browser after seven days since your last MFA sign-in.

Note: To view and/or remove the browsers you’ve allowed to “remember” your MFA login, please visit the SFU MFA Management App.

If you do not want to be prompted for MFA every time you log in to a web application, you may check this checkbox to have your browser remembered for 7 days. To view and/or remove the trusted browsers you authenticated to "remember me for 7 days", please visit SFU MFA Management App. 

Please note that you will be prompted for MFA if you perform any of the following actions:

• Log in using a different browser and device than the ones you previously authenticated to “remember” your MFA sign-in,
• Clear your browsing history and/or cookies,
• Enable the browser to "clear cookies and site data when you close all windows", 
• Log in under “incognito mode” or “private mode” on your browser, or
• Log in using the same device and browser after seven days since your last MFA sign-in.

"7 days" was chosen as the time period to remember a browser authentication because it's an option that balances between security and convenience.

The most secure option would be to authenticate every login, which is the default settings if the "Remember me on this browser for 7 days" checkbox is not selected. The more convenient option would be to authenticate every 30 days, where some institutions have chosen this option. However, this option would bring convenience at the cost of security.

This time period is also frequent enough so that it could be easily incorporated into a regular routine (e.g., Tuesday is my MFA day).

TOTP (Time-Based One-time Passcode) protocol for multi-factor authentication requires a time-based (30 second) code that the user must enter. It changes every 30 seconds to maximize security.

Keep your emergency login codes safe by following these important tips:

• Store your emergency login codes in a safe, accessible place nearby you, such as your wallet.
• Do not store your emergency login codes on CAS-protected services such as your SFU Mail account, as you won't be able to access them if you don't have your phone or hardware token.
• Never share your emergency login codes with anyone.
• You can generate new emergency login codes at any time by going to the SFU MFA Management App.

In the case where you don't have your phone or hardware token with you, you can use one of your emergency login codes for access to your SFU account. 

• Where to locate your emergency login codes: When you first set up multi-factor authentication, you will be given a list of one-time emergency login codes. Ensure to print/write them down and store them in a safe, accessible place, such as your wallet.

• If you have already gone through the MFA setup process and missed the opportunity to print/write down the list of emergency login codes for safekeeping, be sure to sign into the SFU MFA Management App to retrieve or generate new emergency login codes before you come across a scenario of not having your mobile device/hardware token with you.

No; Aside from the initial app download, TOTP MFA applications do not require any internet connection, cell service, or data coverage to display the MFA codes.

Note: TOTP (Time-based One-time Password) protocol for multi-factor authentication requires a time-based (30 second) code that the user must enter. It changes every 30 seconds to maximize security.

No; SFU’s MFA service is built and hosted at SFU and does not collect personal information. In addition, the recommended mobile app, LastPass Authenticator, does not collect personal information.

How it works: When you scan the QR code with your mobile app as part of the initial MFA setup, the app is obtaining a secret key from SFU’s MFA servers from which your MFA login codes will be generated. 

• From that point onward, there is no MFA-related communication made from your mobile app. Your mobile app only relies on your mobile device’s time and the secret key for the MFA login code generation every 30 seconds. 
• This is also why the app does not require cellular service nor an internet connection to function.

Note: SFU recommends LastPass Authenticator because of the benefits it provides to users, but we are not affiliated with LastPass Authenticator or any third-party MFA applications. You are free to choose any of the MFA mobile apps that support the TOTP protocol.

We recommend LastPass Authenticator because:

1. It's free to use,
2. It does not collect personal information (only requests file permissions for storing your MFA locally, and camera permissions for scanning QR code),
3. It does not require an internet connection to function (aside from the initial app download), and
4. It's reputable and well-known MFA mobile app.

Note: SFU recommends LastPass Authenticator because of the user benefits described above, but we are not affiliated with LastPass Authenticator or any third-party MFA applications. You are free to choose any of the MFA mobile apps that support the TOTP protocol. 

Applications that support the TOTP protocol will work for MFA at SFU. If you already have a MFA application that you are using for other services, you may continue to use that application for MFA at SFU as well.

Note: SFU recommends LastPass Authenticator because of the benefits it provides to users, but we are not affiliated with LastPass Authenticator or any third-party MFA applications. You are free to choose any of the MFA mobile apps that support the TOTP protocol.

*TOTP (Time-based One-time Password) protocol for multi-factor authentication requires a time-based (30 second) code that the user must enter. It changes every 30 seconds to maximize security.

Any "smart device", such as iPad or Android tablet, can be used to run an MFA application.

Note: MFA applications do not require any cell service or data coverage to work, but you will need internet access when you first download the application onto your device.

To change the mobile device you use for MFA, please follow the instructions outlined on the Add or Remove MFA Devices or Apps page.

Please select one of the two options below:

• For students, alumni, retirees and sponsored accounts who are unable to or cannot use a mobile device for MFA, hardware tokens are available for purchase at the SFU Bookstore either in-store or online.
  
• For staff and faculty accounts, please visit Request a Hardware Token.
  

Yes, hardware tokens are sent via Canada Post Lettermail™. Please note that due to COVID-19 restrictions, there may be additional delays to international shipping.

If you are purchasing a hardware token from the SFU Bookstore, yes. Hardware tokens are tied to a specific user upon purchase.

If you are a staff or faculty requesting a hardware token, token pickups may be available based on staffing and location. When submitting a request, please comment on token pickup availability.

To replace a lost hardware token, see the two options below:

• For students, alumni, retirees and sponsored accounts, a new hardware tokens will need to be purchase at the SFU Bookstore either in-store or online.
  
• For staff and faculty accounts, please visit Request a Hardware Token.
  

Note: If you have lost your hardware token, use your MFA emergency codes to log into your account while obtaining a replacement hardware token or switch to mobile.

No, since the hardware tokens are pre-programmed to your SFU account before giving it to you, using your own or personal hardware tokens will not be compatible with our systems.

The battery life of hardware tokens are expected to last at least around 4 to 5 years.

By checking off the "Remember me on this browser for 7 days" checkbox at the login page, you can set your browser on a specific device to remember your MFA login for 7 days. 

The following are some common reasons as to why a browser may fail to remember your MFA login for 7 days:

• Clear your browsing history and/or cookies,
• Enable the browser to "clear cookies and site data when you close all windows", 
• Log in under “incognito mode” or “private mode” on your browser,
• Log in using a different browser and device than the ones you previously authenticated to “remember” your MFA sign-in, or
• Log in using the same device and browser after seven days since your last MFA sign-in.

To view and/or remove the trusted browsers you authenticated to "remember me for 7 days", please visit SFU MFA Management App.

If your browser still doesn't remember your MFA login for 7 days, your browser may have outdated MFA cookies. Follow these steps to remove existing MFA cookies:

1. Visit the SFU MFA Management App and select "Trusted Browsers" tab,
2. Remove all your trusted browsers by clicking on the Trash Bin,
3. Clear your browsing history and/or cookies.