|Technical Rating: |
|Published Date : 04 Dec 2017
Last Updated : 24 Jan 2022
Content Ref: TEC5941143
|What is Multi Factor Authentication? |
Multi Factor Authentication (MFA) is a process to allow RM Unify to verify your identity with more certainty than by using just a password. It is well understood that passwords can be guessed or stolen, so having to additionally provide an MFA verification code gives us stronger proof that your account has not been compromised.
For RM Unify, the verification code is generated by an app on your mobile device. This approach is used by many web-based services and will become more commonplace as the security of passwords comes under further scrutiny in everyday life. As such, if you are asked to verify using MFA, you will need to install an app on your smartphone and register this with RM Unify.
By default, your RM Unify establishment has no apps protected by MFA, so you will never receive an unexpected prompt for a verification code. However, your IT team may decide to protect with MFA some RM Unify apps that contain sensitive data.
Linking your device to your RM Unify account
Your IT team may decide that they want to protect some of your establishment's cloud resources with MFA. In order to continue accessing these cloud resources, you will need to:
- Install one of the supported authenticator apps on your mobile device. These can be found in the app store on your device, for example:
- Google Authenticator.
- Microsoft Authenticator.
- Link your device to your RM Unify account:
- Sign into RM Unify using the web browser - this can be on your school computer, personal computer or mobile device.
- Go to My Profile by clicking your name in the top right of the toolbar.
- Go to the Multi Factor Authentication tab.
- Follow the instructions to link your device to your account.
The process is complete.
Accessing protected apps
From now on, if you try to access an app which is protected with MFA, you will receive a prompt from RM Unify in the browser requesting that you verify your identity. To do this:
- Take out your device with the authenticator app installed.
- If you have multiple accounts registered in the app, find the entry corresponding to your RM Unify username.
- Type the six digit code generated in the authenticator app into the RM Unify web page.
The process really is that simple.
If you lose access to your device
There are occasions where you may need to access a cloud app that is protected with an MFA verification code, but may not have access to your device - for example, you could lose your device, break your device or accidentally leave your device at home. If this happens, you will need to contact your IT team and ask them to unlink your previous device.
Specifying which apps are protected with MFA
By default, none of your apps are protected with MFA. For each SSO app connected to RM Unify, you can specify the MFA requirements for each role: students, teachers, non-teachers, governors and super admins. For each role you can set the MFA requirement to:
- NONE - MFA is never offered.
- OPTIONAL - If a user has enrolled for MFA, they will need to give a verification code to access the app. If they have not enrolled for MFA, they can access the app without verification.
- REQUIRED - Users will not be able to access the app without passing an MFA challenge.
Having these three levels allows you to ratchet up the security level, allowing early adopters and security conscious users to protect their account with MFA, before you require this of all users.
Viewing user MFA enrolment
RM Unify super admin users can see the state of MFA adoption in their school via the User list in the Management Console. There are two filters of interest:
- Users enrolled for MFA.
- Users not enrolled for MFA.
This allows you to assess how many of your users are ready for MFA and how many are yet to enrol their device.
Helping users to enrol a new device
Students and staff users cannot unenrol in MFA themselves, to allow them to link a new device. Therefore once a user has registered for MFA, they cannot provide an MFA verification code in the event they lose, break, or just forget their device. This is a security feature and prevents someone who has obtained the user's password to link their own device in place of the original device.
In these scenarios, as RM Unify super admin you can clear the user's MFA enrolment so that they can go back into My Profile and link a new device. To do this:
- Find the user in the User list, possibly using the Users enrolled in MFA filter.
- Click the Actions button and select 'Clear MFA enrolment'.
- Click OK to confirm.
- The user can now link their account to a new device from My Profile.
|Do I have to get my phone out whenever I access RM Unify?
||No. Access to the Launch Pad itself is never protected with MFA. The RM Unify super admin chooses to protect specific cloud apps themselves, so the prompt for a verification code is seen when accessing one of those apps, after clicking the app tile on the Launch Pad. Additionally the super admin may also have chosen to require MFA for super admin access to the RM Unify Management Console.|
|Does RM Unify remember that I have provided verification code for my entire session?
||Yes, once you have verified your identity by providing the verification code, you will not be prompted for the rest of your RM Unify session (until you sign out or shut the browser).|
|What if something goes wrong?
When you get prompted for MFA verification, you get five chances to type in a valid code. After these chances have been used up, the account is locked out for one minute and you will be signed out. The account automatically unlocks after one minute, so you can try again without reaching out to the IT team.
If your code is repeatedly getting rejected, it is possible that you are providing the verification code for the wrong account. Check that the user you are signed into RM Unify with matches the account name shown in your authenticator app.
Check that the time on your smartphone is correct. The authenticator app on your phone will generate verification codes that are time-relative and time-sensitive. If possible, configure your phone to automatically use network-provided time, wait for a new code to be generated by the authenticator app and retry.
|What if I have multiple RM Unify accounts?
||You can link multiple RM Unify accounts to a single authenticator app. You do not need one device per RM Unify account.|
|Can I use a shared mobile device to generate the verification code?
Yes, although this does not provide quite the same level of security as a one-to-one device.
On multi-user shared devices, i.e., the device is always logged on, the authenticator app on a device can be linked to many accounts in RM Unify. When the authenticator app is opened, the usernames of all the RM Unify accounts will be listed so that you can identify the correct verification code to enter.
On single user shared devices, i.e., those you need to log on to, the authenticator app will just show the RM Unify accounts that have been connected to that device for your user.
|Can I link an account to multiple devices?
||Yes, this is possible but not recommended in most cases. During the MFA enrolment process, you snap a QR code with the camera to link the device to their account. At this time it is possible to snap the QR code with multiple devices, so that they can all be used to provide the verification code. |
|Should we use personal devices or school owned devices to generate the verification code?
This is a policy decision for the school; there is no one right answer. Many organisations allow both device types to be used, as there is limited security implication of using a personal device.
For school owned, managed devices there are a couple of fringe benefits to be aware of:
- The authenticator app can be installed to the device using MDM tools.
- A lock screen passcode policy can be enforced on the device protecting access to the authenticator app in the event of device theft.
|What ways are there to verify my identity with MFA?
We use the 'Time-based One Time Password' (TOTP) standard, which is supported by dozens of smartphone apps, Windows, Linux and browser extensions. However, we only test the process with the following recommended apps:
- Google Authenticator.
- Microsoft Authenticator.
|Do I need a Google Workspace account to get an authenticator app?
||No, you do not need a Google Workspace or Google account. So long as you have an iOS, Android or Windows Phone device, you can download an authenticator app and use it.|
|What are my options if I do not own a smartphone, or if the camera is disabled?
||We currently do not support alternative mechanisms to generate the authentication code.|
|Do I need connectivity on my smartphone to run the authenticator app?
||No. The device running the authenticator app does not need a network connection, so can run without Wi-Fi and mobile data. |
|What levels of MFA can I set for each app?
Within your establishment, the RM Unify super admin can choose for each app and for each role whether MFA is:
- OFF - Never do an MFA check for this app.
- OPTIONAL - If the user has enrolled in MFA, request a verification code, otherwise allow them to skip the check. This is a great way for you to understand how MFA works prior to rolling it out school-wide, or to give those security conscious staff more protection.
- REQUIRED - Users must pass an MFA check before they can access this app. If they have not enrolled yet, they will be blocked and directed to My Profile to enrol their device.
|As an RM Unify super admin, how can I configure which apps require MFA?
From the Multi Factor Auth page in the Management Console (via Sign In & Security) you are able to configure which apps require users to provide MFA verification. Because changing these settings affects the security of your organisation, we will protect the Management Console itself with MFA for RM Unify super admin users only.
|Can I choose to bypass MFA for devices on my local network?
MFA is a great protection against remote attackers who have obtained your user passwords, but does create an additional burden for users logging on every day.
We realise that if traffic originates from your local network, it is less likely to be fraudulent. Therefore we plan to allow you to allow users to bypass MFA for all traffic that originates from your network, as identified by the public IP address that the users appear from (more details under the Safety and Security card on the ProdPad board). We plan to give you this option in a future release of RM Unify, which will protect you from the remote attacker scenario, but does lower the bar for in-school, on-network impersonation. You can 'upvote' this improvement suggestion for release via the Ideas page.
|What if a user forgets their device but the app requires MFA?
||There is no way to bypass MFA for a single user if you have set the MFA status to REQUIRED. Therefore, the RM Unify super admin will need to clear the MFA enrolment for the user (as described above) and ensure that they have access to a separate device that can generate an MFA verification code for them. |
|Is there any impact on MFA if I change the username of a user?
When the user enrols in MFA, the authenticator app captures their username at that point and shows it in the app. If you later change the username of that user, the authenticator app will still show the old username, but the verification code generated will still be valid. So the user could continue like this with no ill effects, but in the long term it might cause confusion to the user if they use the authenticator app for other accounts.
To rectify this issue, the user should remove the account from their authenticator app and an RM Unify super admin can remove their MFA enrolment. This allows the user to re-enrol in MFA, snapping the new QR code, which will show the correct username in the authenticator app.
|Is there any impact on MFA if a user transfers between establishments?
The user stays enrolled in MFA - this is a property of their user account.
However, the set of apps that are protected by MFA may differ in the new establishment. This means that the user's experience of when they get prompted for a verification code may change after they have transferred.
|How does this work with Microsoft 365 (Azure AD) MFA?
The two MFA processes are entirely independent, so we recommend that you choose to use either RM Unify MFA or Microsoft 365 (Azure AD) MFA.
If you were to enable both it would require a user to answer an RM Unify MFA challenge before getting access to Azure AD, then an Azure AD MFA challenge before gaining access to Microsoft 365.
|How does this work with Google Workspace 2-Step Verification?
When a user signs in to Google Workspace via RM Unify, any Google Workspace 2-Step Verification configuration is not applied to the user, with the following two exceptions:
- The user is a Google Workspace Admin user. These users sign in directly to Google Workspace, bypassing RM Unify and, therefore, their logon is subject to Google Workspace 2-step Verification.
- The user is signing into a Chromebook (Chrome device) using RM Unify Chromebook SSO. Please see the 'How does MFA work with Chromebook SSO?' question below.
Please see the 'How does MFA work with Chromebook SSO?' question below, for more information on the Google Workspace limitation: https://support.google.com/a/answer/175197?hl=en.
|How does MFA work with Chromebook SSO?
When a user signs into a Chromebook (Chrome device) using RM Unify Chromebook SSO, RM Unify MFA for the Google app does not apply, i.e. when the user launches RM Unify and clicks any Google tile, they will not be presented with MFA. This is because there is already an active Google session due to the Chromebook SSO sign-in.
Admins can instead enable Google 2-step Verification, which will appear for the configured users after they enter their username and password when signing in to the Chromebook - https://support.google.com/a/answer/9176657?hl=en.
|MFA is enabled, why do I not get prompted?|
If you have MFA enabled for Microsoft 365, for example, but find that when you click the relevant tile, you go straight to the app and are not prompted to enter an MFA code, this may be because you have already previously logged in on your device, completed MFA and still have an active session with the app in question. You can confirm this by either logging on to a device you have not previously logged on to, or by opening an Incognito or InPrivate browser session and retrying access to the app.
If you have MFA enabled for multiple apps, e.g. Microsoft 365 and the RM Training Academy, you will find that RM Unify will prompt you with MFA for the first app you access but not for any other MFA-enabled app you access in the same session. This is by design - MFA is per RM Unify session and not per app within the same session.
If this article has not helped provide a solution then it is also possible to
log a call...
Document Keywords: mfa, rm unify, unify, multi factor, TEC5941143, 2 factor, two factor, factor, RM Unify Multi Factor Authentication, TEC5941143, 2sv, 2 step verification, 2-step, chromebook, sso, chrome device, 2fa