Multi-factor authentication (MFA)
Is used to ensure that digital users are who they say they are, while balancing enhanced security with convenience. Unlike typical single-factor authentication, MFA requires users to prove their identity by providing at least two pieces of evidence across three main categories: what you know, what you have and what you are.
If one of the factors has been compromised by a hacker or unauthorized user, the chances of another factor also being compromised are low, so requiring multiple authentication factors provides a higher level of assurance about the user's identity.
Why is multi-factor authentication important?
Passwords are still the most common way to authenticate your online identity, but they increasingly provide very little protection.
Hackers use an alarming variety of phishing attacks, brute force attacks, web app attacks and point of sale intrusions to steal passwords and wreak serious havoc.
Users often make it easier for hackers by choosing weak passwords, using the same password for multiple applications, and keeping the same password for long periods of time. These practices may help them remember their logins, but they invite hackers in through the front door.
Multi-factor authentication provides a layer of protection for both students and employees that addresses all of these weaknesses. It mitigates the ripple effect of compromised credentials by requiring additional evidence that you are who you say you are.
How Does It Work?
How does multi-factor authentication work?
A user's credentials must come from at least two of three different categories, or factors.
Knowledge factors are the most commonly used form of authentication. In this form, the user is required to prove knowledge of a secret in order to authenticate.
Two-factor authentication, or 2FA, is a subset of MFA where only two credentials are required, but MFA can use any number of factors.
Something You Know
The most common example of this factor is, of course, the password, but it could also take the form of a PIN, or even a passphrase--something only you would know.
Some organizations may also set up knowledge-based authentication like security questions (e.g., "What is your mother's maiden name?"), but basic personal information can often be discovered or stolen through research, phishing and social engineering, making it less than ideal as an authentication method on its own.
Something You Have
It's much less likely that a hacker has stolen your password and stolen something physical from you, so this factor confirms that you are in possession of a specific item. This category includes mobile phones, physical tokens, key fobs and smartcards.
There are a few ways that this authentication works, depending on the item, but some common methods include confirming via text message or pop-up notifications from your mobile phone, typing in a unique code generated by a physical token, or inserting a card (e.g., at an ATM).
Something You Are
This factor is commonly verified by a fingerprint scan, but also includes anything that would be a unique identifier of your physical person--a retinal scan, voice or facial recognition, and any other kind of biometrics.
In essence when you are verifying yourself through an SMS code, you are using biometrics or a PIN first to unlock your device and then review the PIN that was sent to your smartphone.
How To Set Up MFA
Multi-factor authentication - MFA became mandatory for Faculty and Staff when using Gateway from off campus.
Setting up your account is really easy but requires time to set up your knowledge factors. That is why setting up ahead of time will save you from this process when it goes live and you might be in a rush to register or checking your email.
To start the process click the link below:
For detailed information on how to setup Password Manager and configure Multi-Factor Authentication please go to Password Manager - Setup Guide
Setting up your account should be an easy to follow process, should you have any questions or trouble setting up this feature, contact the Technical Support Center @ (210)431-4357 or stop by the TSC Help Desk located inside the UC Commons area.
Login With MFA
After you successfully complete setting up your account in Password Manager, Multi-Factor Authentication is now active and it will prompt you to verify one of your security factors at login (From off-campus locations).
Let's review this process:
1. Once you login you will be prompted with a window to select your desired verification option.
2. If you setup multiple security factors (email and phone) you can choose which one is convenient at that moment in time. If you only set one, either phone or email, you will be prompted with that specific verification option:
Email Verification
If you selected Email as a verification factor, make sure you have access to that email to continue with this process.
1. On the email verification window you will be prompted to select the email of your choice. Password Manager allows to have a secondary email verification option. If this is the case you will have the oportunity to select the email of your choice in this window.
Note: Only one primary email is required.
2. A verification code will be sent to the email you selected, please make sure to check you junk or clutter folders and also add portmaster@stmarytx.edu as a safe sender if you have not received a verification code.
Note: This process is immediate and should not take longer that a minute or two to get the verification code. If you still have not received your code, click on the Resend security code option to get a new code.
3. Once you receive your verification code please input the code and click submit to finish the verification process and continue to Gateway.
SMS Verification
If you selected SMS as a verification factor, make sure you have access to your cellphone to continue with this process.
1. On the SMS verification window you will be prompted to select the phone number of your choice. Password Manager allows to have a secondary phone verification option. If this is the case you will have the oportunity to select the phone number of your choice in this window.
Note: Only one primary phone is necessary to enable this verification factor.
2. A verification code will be sent via SMS to the phone number you selected.
Note: This process is immediate and should not take longer that a minute or two to get the verification code. If you still have not received your code, click on the Resend security code option to get a new code.
3. Once you receive your verification code please input the code and click submit to finish the verification process and continue to Gateway.
Login Verification Email
If you are off-campus, you should expect to receive an MFA verification prompt the first time you authenticate from either a new browser, a new device or new location from which you have not previously verified and trust using MFA. This option may be used on devices or locations you consider trusted, such as your mobile device or personal computer located at home.
You should never use this option on public or shared-access computers.
This verification also help you identify fraudulent attempts when someone attempts to gain access to protected resources without MFA verification.
Configure Google Authenticator
Before you start
Here are some things to know before you begin this process.
- You'll need to download a Google authenticator app to your mobile device.
- You will always need your mobile device to generate the passcode. There isn't a way to generate a passcode on your laptop or desktop computer.
- Create a secondary factor of authentication, you will need it if you ever lose, restore, or damage your device (you will need to reconfigure your device).
- Make sure your mobile device's time is automatically set. If your device's time is set manually, the new passcodes that are generated every 30 seconds by your two-factor authentication app and Gateway could be out of sync and result in a login error.
Step - 1
Download Google Authenticator from either the Apple App Store or the Android Google Play store. It's free.
1. You now need to access Password Manager to start Google Authenticator configuration steps.
Step - 2
2. Once you access Password Manager you will have a new tab option available: Authenticator
3. Once you click on the Authenticator Tab you can click "Get Started" to begin configuration:
4. Google Authenticator will be listed as an option:
Click "Next" to Continue (STEP 3)
Step - 3
For this step Google Authenticator has to be already installed in your device so you can pair it with Gateway.
5. After you click next on the previous step, a QR Code will be displayed in your screen as well as a code (in case your phone cannot read the code you can manually input this code into authenticator).
6. Now, on your device, open Google Authenticator. You are going to be presented with 2 options to input this code into your device to pair, for this example we will assume that you are able to Scan a QR code (manually input is available with the Enter a setup key option)
7. Press Scan a QR code in your device, a scan window will be presented for you to scan the code on your screen (you may need to allow permission to use your camera on your device), center your device scan area square over the QR code presented on the screen (the pair up happens almost immediately, if you are having trouble scanning, please Enter the setup key manually)
8. Your Device will now show a list (if you have more than one) of verification codes, that will change every 30 seconds (a timer dial will be counting down on the right side of the code to let you know home much time is left for that code to expire) so be mindful to wait for a new code if it is approximate to expire.
Now we move back to your computer to finalize the setup.
9. Click Next on your computer screen to continue, input the current verification code shown on your device coming from Google Authenticator. In this example we have 526 196 (refer to the example above)
10. Enter the verification code shown in your Google Authenticator app
11. Click "Register Google Authenticator" to continue and finalize configuring this factor.
De-Register A Device
If you ever, change your device you have to remove the previous registration to pair it up with your new device.
To de-register a device, you will need to access Password Manager and Click on the Authenticator Tab
Here, you will see your current Google Authenticator Setup
Click "De-register Google Authenticator" option to remove your previous configuration, and proceed to step 1 on these instructions to register your new device.
Click "Yes" to finish de-registration or "No" to Cancel.
Login with Google Authenticator
Once you have configured Google Authenticator in Gateway with your device, you can now use Google Authenticator to log in to Gateway when you are in not in campus and have to go through the MFA process.
After you login, you will now be presented with Multi-factor Authentication options where you now can select Google Authenticator
Click on Google Authenticator and open Google Authenticator on your device, you will be presented with a code (or codes if you have several configurations), your Gateway account will be the code that shows stmarytxprod (your username)
Enter this code in the verification screen and submit to continue with Gateway
FAQ's
How Does Multi-factor Authentication (MFA) Work?
Once you have signed up for MFA, when you attempt to access a protected university application from off-campus, you will be prompted to enter your username and password as usual (the first "factor"). You will then be taken to the MFA screen where you will select the method of verification —SMS (if set-up) or email— that will help to verify that it's you (the second "factor").
Why do I need this?
Passwords are becoming increasingly easy to compromise. They can be stolen, "phished", guessed, and hacked. New technology and hacking techniques combined with the limited pool of passwords most people use for multiple accounts increases vulnerability.
What is a verification code?
How does it differ from a password? A verification code is a one-time use number utilized for Multi-factor Authentication, it could be in the form of a SMS message (if set-up)or via email.
Do I need to set-up email and phone verification?
Only one is required either email or phone verification, but we strongly recommend that both are set-up to enhance the security of your account.
What if I'm not receiving the verification text message?
If you are not receiving the verification text message, please ensure that you are prepending your country code to the phone number. The country code for US is "1".
If you are including the country code but still do not receive the text message, please contact your mobile carrier and ensure that your account is setup to receive short code SMS messages.
What applications are protected?
All the applications that perform Single Sign-On from Gateway such as Office365, Self-Service Gateway, Canvas, ID Cards, etc.
How often am I going to be prompted to verify my access?
Every time Password Manager detects unusual activity. Password Manager learns about the location you commonly sign up and will register your devices as you are using them. If it detects a login outside Texas if will prompt you to MFA, if it detects a login from a unknown device it will prompt from you to MFA, if you change your Account Settings it will prompt you to MFA.
What if I don't have a secondary email address?
The web hosts a variety of free email services and it usually takes just a few minutes to create an account. Below is a short list of free email services:
- Gmail
- Yahoo! Mail
- ProtonMail
- Mail.com
New MFA Factor!
Google Authenticator is now available as a multi factor authentication (MFA) method for accessing Gateway and any other application linked to your St. Mary's account!
The Google Authenticator app provides you with a constantly updating MFA access PIN that you can use without having it texted or emailed to you. When you sign in to your Gateway account, (after you setup) a new way to MFA to your account will be available to choose from Google Authenticator, enter the code from the app and you're in!
The benefits of an app like Google Authenticator, besides not having an SMS message or email hijacked, are that you have your MFA code in a central location and they're available all of the time, even if your phone is offline.