Multi-Factor Authentication (MFA) is the process of using two forms of identification (factors) to access ACU systems while off-campus:
This is called authenticating. You may be familiar with this from using MyGov or your Internet banking.
MFA means that even if someone figures out your email and password, they still won't be able to log in to your ACU account. This is because the system won't let them in without the second piece of ID - which is only available through your mobile phone.
MFA is compulsory for all ACU staff.
How does it work?
You'll first need to register for MFA.
The next day after you enrol your device in MFA, you will need to re-authenticate your devices (e.g. laptop, mobile phone) using an application or enter a code delivered by SMS. You will then need to do this when accessing an ACU system outside of the network only.
'Outside of the network' means off-campus or disconnected from VPN.
You can choose for your device to remember you for up to 14 days.
There are two ways to receive authentication prompts - MS Authenticator App and SMS. ACU strongly recommends you set up MS Authenticator as the main authenticator and receive SMS as backup.
The Authenticator app is the preferred ACU option because:
Which applications are protected by MFA?
How to use MFA
What do I do if I monitor a generic account such an email for a department?
Generic accounts such as 'cyber-security@acu.edu.au' are not subject to MFA, which means your experience will not change.
What if someone shares their login details with me so I can act on their behalf?
The most common scenario for people sharing credentials is managing inboxes and calendars. MFA enforces a more secure way of sharing these responsibilities, called Delegate Mailbox Access. This provides a much better experience as well as a more secure one, because you won't need to enter different details to access anyone's account. You will log in as yourself, act as yourself, but appear to be acting as someone else.
If someone has shared their details with you, please raise a ticket with Service Central to get the right permissions set up.
How often will I need to use MFA?
Each device can be told to remember you for 14 days. Just select "Don't ask again for 14 days" when you authenticate. You will also need to authenticate when you switch browsers (e.g. from Chrome to Windows Explorer).
You'll also need to MFA if your IP address changes - this can be caused by connecting and disconnecting from the ACU network or other network changes.
Will I be charged to receive an authentication SMS?
Some phone carriers may charge for text messages and this will depend on your individual circumstances with your provider. ACU recommends the Microsoft Authenticator app to avoid SMS charges, though charges will apply as above if you need to use SMS as a backup authentication option.
How often will I be prompted for MFA?
Many factors inform how frequently you'll need to use MFA. Remember that you need to MFA on each device where you access ACU systems, so the advice below applies to each device.
Generally, if you choose 'Remember me for 14 days' when you authenticate, your device should remember you and you won't need to use MFA again for two weeks.
Some exceptions include:
What do I do if I receive a challenge unexpectedly?
If you receive an MFA challenge you don't recognise (e.g. you aren't currently attempting to access any ACU systems), you should immediately decline the prompt and report it.
Do I need the Microsoft Authenticator app on every device where I access ACU applications?
No. You only need to install the authenticator app on the device where you will receive authentication requests (e.g. your mobile). All other devices (e.g. laptop) will be linked to the authenticator app that's on your mobile.
Visit Service Central to access Corporate Services.
