Multi-Factor Authentication (MFA)

In 2020 Imperial will be making MFA compulsory on some sensitive services, such as Office 365, and will roll it out to other services as the need arises. Their overview and reasoning is here: https://www.imperial.ac.uk/admin-services/ict/self-service/be-secure/mfa/

There's no need to repeat what they say, but it is universally accepted to be a good idea to enable MFA on personal communications and collaboration services. All you need is a mobile phone.

How to enable MFA on your Office 365 account

First of all, ICT have to provision your account for this feature - you can't just decide to turn it on yourself. You will get an email from the "ICT Security Officer" when MFA is ready to be enabled on your account. Once it has been provisioned for you, Imperial's instructions are here: https://www.imperial.ac.uk/admin-services/ict/self-service/be-secure/mfa/setup-mfa/

Do I need anything special to use MFA?

The use of MFA for Office 365 does assume that you're an Office 365 user, which further assumes that you're likely to have a smartphone. ICT stats show that well over 99.9% of Imperial users either use Imperial Wi-Fi on a smartphone, or read their email on a smartphone. The easiest way to get up and running is to install the app on your phone called "Microsoft Authenticator". Other authenticators are available if you prefer to support yourself.

If you only have a "dumbphone" you can still use MFA, but instead of using an app to receive your codes you get a text message. The effect is the same but it's not quite so secure if you understand how text messaging works (as an exercise for the student, read up on Signalling System No.7 vulnerabilities).

OK I enabled MFA on my phone. What now?

Ideally, you should reboot your PC. If you don't want to just yet, at the very least log out of your email, Skype, Teams and SharePoint. When you log in to these services again you will be prompted for your password as normal. Then, if MFA is set up correctly, you will receive a separate login code on your registered phone. Enter that, and you're all done.

I can't log in anymore after enabling MFA

There are a couple reasons this could happen, and they're both easy to fix.

The most common reason is you're using a program which doesn't support MFA. MFA functionality has only to programs still under active development, like Office and Teams. Other programs like Skype For Business, Sharepoint and most non-Microsoft email clients, don't have the MFA features built in. They have to use a specially created "App Password". ICT have a list of programs which need app passwords, and they're very easy to create: https://www.imperial.ac.uk/admin-services/ict/self-service/be-secure/mfa/app-passwords/

Once you've made your app password for your non-MFA app, you can log in with your usual account and the app password you just created (not your usual Imperial password!).

The other most common reason is that your phone has poor signal. Sometimes you can try to log in and get your MFA prompt, only to find your phone doesn't get a code. This makes you try to log in again, and you still don't get a code. You try a third time and suddenly your phone gets three codes! Only enter the latest code, the previous ones are invalid. You probably think this is annoying, but after all if you have no signal you're probably not going to be able to use the service anyway.

I don't want to enable MFA on my personal phone

Presumably you have good reasons to reject a security enhancement for the sake of receiving a text code every so often when you're off site. It would probably be best to talk to your local IT staff about your concerns. MFA is an extremely robust security measure, and not using it will greatly increase the risk of an account compromise.