Multi-Factor Authentication (MFA)

Multi-Factor Authentication (MFA)

In 2020 Imperial will be making MFA compulsory on some sensitive services, such as Office365, and will roll it out to other services as the need arises. Their overview and reasoning is here: https://www.imperial.ac.uk/admin-services/ict/self-service/be-secure/mfa/

There's no need to repeat what they say, but it is universally accepted to be a good idea to enable MFA on personal communications and collaboration services.

How To Enable MFA On Your Office365 Account

First of all, ICT have to provision your account for this feature - you can't just decide to turn it on yourself. You will get an email from the "ICT Security Officer" when MFA is ready to be enabled on your account. Once it has been provisioned for you, Imperial's instructions are here: https://www.imperial.ac.uk/admin-services/ict/self-service/be-secure/mfa/setup-mfa/

Do I Need Anything Special To Use MFA?

The use of MFA for Office 365 does assume that you're an Office 365 user, which further assumes that you're likely to have a smartphone. ICT stats show that well over 99.9% of Imperial users also either use Imperial Wi-Fi on a smartphone, or read their email on a smartphone.

If you only have a "dumbphone" you can still use MFA, but instead of using an app to receive your codes you get a text message. The effect is the same but it's not quite so secure if you understand how text messaging works (as an exercise for the student, read up on Signalling System No.7 vulnerabilities).

I Don't Want To Enable MFA On My Personal Phone

Presumably you have good reasons to reject a security enhancement for the sake of receiving a text code every so often when you're off site. It would probably be best to talk to your local IT staff about your concerns.