Introduction to multi-factor authentication
Multi-factor authentication (MFA) is an electronic authentication method which requires you to log in using two different mechanisms. In UCT's case, this would mean using your UCT network password along with authenticating via an app on your smartphone (or a verification code sent to you via SMS).
Cybersecurity attacks are on the rise, and universities are a huge target, given the amount of personal and sensitive data they hold. With email and other online communication methods (e.g. Teams) being so critical in how we operate – especially during remote working and learning – MFA is essential to keep your UCT account, your data, and UCT's network safe.
We have enabled MFA on all UCT accounts. This applies to ServiceNow, Mimecast, LinkedIn Learning, the UCT VPN, and UCT Microsoft 365 accounts – which includes Outlook, Teams, and other Microsoft Office applications. It will be expanded to other UCT services in due course.
Navigating this article:
If... | Then... |
---|---|
You are setting up MFA on your account. | Follow these instructions to set up MFA on your account. |
You have set up MFA on your end, and ICTS has enabled MFA on your account. | Follow these instructions to authenticate the first time you open an MFA-enabled service on a device or browser. |
You need to update your authentication method at some point in the future. | Follow these instructions to change your authentication method. |
You want to set up MFA on a second device | Follow these instructions to set up MFA on a second device (note: the second device must use the authenticator app). |
You access UCT data via applications that use legacy protocols - such as an old email client. | Follow these instructions to find out how legacy protocols will be managed and what you need to do. |
You need help with MFA setup, authentication, or legacy protocols. | Contact the IT Helpdesk for assistance. |
You have questions around MFA not answered in this article. | Visit the Multi-factor authentication FAQs article to find an answer. |
Set up MFA on your account
When you first use your UCT account, please please follow these steps to set up MFA. If you do not set up immediately, when you open an MFA-enabled service (e.g. Outlook, Teams, or OneDrive), you will be prompted to set up.
Configure your account and set up the mobile app
Click the image below for simplified instructions. Or for full written instructions, read the steps below the graphic.
* Note: If you do not have a smartphone, please follow this procedure instead.
- On your computer, open the Outlook web app, log in using your UCT credentials (staff / student number@wf.uct.ac.za and UCT password), then click Next. If you are already logged in, simply click Next.
- On the Additional security verification page:
- From the Step 1 drop-down menu, select Mobile app.
- Under How do you want to use the mobile app?, select Receive notifications for verification then click Set up.
- A Configure mobile app page opens, containing a QR code.
- On your mobile phone, install the Microsoft Authenticator app by Microsoft Corporation. (To ensure that you install the correct app and not a fake app, please email the following link to your phone: https://www.microsoft.com/en-us/security/mobile-authenticator-app)
- On your mobile phone, open the app:
- On the privacy page, tap I agree.
- On the next page, in the top right-hand corner, tap Skip.
- On the next page, tap Add account.
- On the next page, tap Work or school account.
- You may be asked to allow the Authenticator app to use your camera / take pictures and record video. Allow the app to do so.
- Point your phone camera at the QR code on your computer screen (i.e. where you are setting up MFA).
Note: If you then get a message about App Lock being enabled, tap OK.
- On your computer, click Next.
- Once your authentication activation status has been checked, click Next.
- On your mobile phone, an Approve sign-in? notification will pop up.
- Tap Approve.
- Enter your phone’s screen lock PIN / password / pattern / biometric data if enabled (e.g. fingerprint).
- You are now signed in to your UCT Office 365 account on your computer.
- In the authenticator app, tap the 3 dots / 3 lines in the top-right corner then tap Settings.
- Ensure that App Lock is enabled. (It may already be enabled by default, but if not, please enable it.)
- On your computer, the Additional security verification page will be displayed: Step 3: In case you lose access to the mobile app.
- In the left-hand drop-down menu, select your country [e.g. South Africa (+27)].
- In the right-hand text box, enter your mobile phone number – including the 0 at the start of the number (e.g. 082 1234 567) then click Done.
- On your computer, sign out of the Outlook web app, or close Microsoft Teams.
- When you try to log in to these services again, you’ll need to authenticate via the app. This will be required only once per computer or browser.
The authentication app is now your primary authentication method, while SMS to your mobile phone will be a backup in case you do not have a data connection.
Configure your account and set up your non-smartphone
Click the image below for simplified instructions. Or for full written instructions, read the steps below the graphic.
- On your computer, open the Outlook web app, log in using your UCT credentials (staff / student number@wf.uct.ac.za and UCT password), then click Next. If you are already logged in, simply click Next.
- On the Additional security verification page:
- From the Step 1 drop-down menu, select Authentication phone.
- In the next drop-down menu, select your country [e.g. South Africa (+27)].
- In the right-hand text box, enter your mobile phone number – including the 0 at the start of the number (e.g. 082 1234 567) then click Next.
- A verification code is sent to your mobile phone.
- On your computer, enter the verification code then click Verify.
- Upon successful verification, click Done.
- If you are prompted to log in again, do so using your UCT password then enter the new verification code sent to your mobile phone and click Verify.
Using MFA for later sign-ins
Once MFA is enabled, when you open a UCT MFA-enabled application (e.g. Outlook, Teams, OneDrive, ServiceNow) on a different device or browser, you will be prompted to approve the login. Your method of authentication will vary based on which mechanism you are using.
* Note: Authentication is only required the first time you access your account on a computer / mobile device or browser. Thereafter, you won’t need to authenticate again unless you sign out of your account.
I’m using a mobile phone verification code to authenticate
- A verification code will be sent to your phone.
- On your computer, enter this code.
I'm using the mobile app to authenticate
Click the image below for simplified instructions. Or for full written instructions, read the steps below the graphic.
- On the device you’re trying to sign in with, an Approve sign in request window will come up, including an authentication number. Take note of this number.
-
- On your phone, tap the Approve sign-in? message.
- A window will appear asking you to Enter the number shown to sign in.
- Enter the number which appeared in step 1 above, then tap Yes.
- When prompted, enter your phone’s screen lock PIN / password / pattern or, if enabled, biometric authentication (e.g. your fingerprint).
- The authentication process is complete.
Change your authentication method
Click the image below for simplified instructions. Or for full written instructions, read the steps below the graphic.
Depending on your circumstances, you may need to update your authentication method at some point in the future. If any of these circumstances occur, please update your authentication immediately:
Circumstance | What to do |
---|---|
I changed my mobile phone number |
|
I no longer want to use my mobile phone number for the authentication service |
Important: Please do not use this option unless you’ve already set the Authenticator app as your default authentication method.
|
I've been using the authenticator app, and I want to add my phone number as an SMS backup option |
|
I have been authenticating via an SMS verification code, but I now want to use the mobile app for authentication |
|
I’ve gotten a new smartphone and want to use the app for authentication on my new phone |
|
Set up MFA on a second device
If you’d like to set up a second mobile device (i.e. tablet or smart phone) to complete MFA authentication for your UCT account, follow the instructions below. Note that adding a second device works with the Microsoft Authenticator app only. You cannot set up a second device to use SMS verification.
- Make sure you have your first authentication device on you, as you will need it to set up the new device.
- On your second device, install the Microsoft Authenticator app by Microsoft Corporation. (To ensure that you install the correct app and not a fake app, please email the following link to your device: https://www.microsoft.com/en-us/security/mobile-authenticator-app)
- Once installed, open the app then tap Add work or school account, then tap Sign in. (Note that on some devices, you may be taken directly to the sign in screen without having to tap Sign in.)
- Enter your UCT staff / student number@wf.uct.ac.za then tap Next.
- On the UCT sign-in screen, enter your UCT password then tap Sign in. If you are prompted to enter your password again after this, do so.
Note: On some devices, you may be presented with a Verify your identity screen at this point. If this is the case, select the method that matches your first device’s authentication option (i.e. SMS verification or app).
My first device uses the app - On your second device, tap Approve a request on my Microsoft Authenticator app.
- On your first device, tap the Approve sign-in? notification.
- A window will appear asking you to Enter the number shown to sign in.
- Enter the number which appeared on your second device, then tap Yes.
- When prompted, enter your device’s screen lock PIN / password / pattern or, if enabled, biometric authentication (e.g. your fingerprint).
My first device uses SMS verification - On your second device, tap Text + XX-XXXXXXXXX.
- A text code is sent to your first device.
- On your second device, enter the text code, then tap Verify.
- Upon successful verification, tap Done.
- Return to your second device. On the Sign in with your phone page, tap Continue.
- On the next page, tap Register to register the new device for MFA.
- When prompted, enter your device password / pattern / biometric sign-in.
- On the Account added page, tap Continue / Finish.
- In the authenticator app, tap the 3 dots / 3 lines in the top-right corner then tap Settings.
- Ensure that App Lock is enabled. (It may already be enabled by default, but if not, please enable it.)
Your second device is now ready to use for MFA verification. When you try to sign into one of your UCT MFA-enabled services on a new browser or device, you'll get a prompt asking you to verify your identity. You can now verify on either your first or second device:
Verify on your first device |
|
---|---|
Verify on your second device |
|
Outdated authentication protocols
Some customers may be using applications - such as an email client - which is outdated or has been configured using legacy authentication protocols. This presents a challenge, as these protocols are more vulnerable to attacks by cyber criminals, which puts both the customer and the UCT network at risk. ICTS has enabled a policy prohibiting the use of legacy authentication protocols, ahead of Microsoft discontinuing support for these protocols in October 2022. So, if you are using these, you will need to upgrade your application as these protocols are no longer able to access UCT data.
How do I know if I'm using legacy protocols?
Legacy protocols would generally pop up if they access their UCT email via an older client that uses IMAP, SMTP, or POP3. Examples of these include Outlook 2010, older versions of Apple mail, and older versions of the Gmail mobile app (where the customer connects their UCT email account to the Gmail app). A list of legacy protocols which are not compatible with MFA is provided in our FAQs article.
If you are impacted by this, we have sent an email to you and ask that you please follow the requested instructions immediately.
Alternatively, if you're concerned that you may be using legacy protocols, please contact the IT Helpdesk for assistance.
What do I need to do?
If your application is using legacy protocols, please update it to one that uses modern authentication. For example, when it comes to email clients:
- For PCs / laptops / Mac computers: We recommend using Outlook 2016 or later.
- For mobile devices: We recommend the latest version of the official Outlook app (available for Android and iOS). Once you have downloaded the app, use this information when setting it up with your UCT email account.
When do I need to do it by?
ICTS prohibited these protocols in September 2022, so if you were impacted, you will need to update immediately if you want to retain access to your UCT data.