Introducing Multi-Factor Authentication (MFA)
The college is deploying a new security feature called Multi-Factor Authentication (MFA). MFA is a cybersecurity best practice and is widely used by organizations around the world to protect systems and users. Simply put, you’ll be asked to authenticate on your mobile phone through the Microsoft Authenticator app in addition to logging in to college applications online as an extra layer of security.
MFA Rollout Phases:
Phase 1: ITS Employees & SMC Members. November 14-18
Phase 2: Expansion to all GBC Employees (including Student Employees). November 16–December 9
Phase 3: MFA applied to more applications & rolled out to Students. From December 5 onwards
Set up MFA using the steps below:
Step 1: On your phone:
- Download and install the latest version of Microsoft Authenticator app from the Google Play Store for Android (georgebrown.ca/android) or the App Store for iOS (georgebrown.ca/apple).
- Open the Microsoft Authenticator app.
Within the app, choose + Add account and then choose 'Work or school account'.
- Select Scan a QR code:
Step 2: On your laptop or desktop computer:
- Go to georgebrown.ca/begin.
- If you are not already signed in, select your account and log in as usual using your regular, numbered GBCID@georgebrown.ca and password.
- Select + Add sign-in method:
- Select Authenticator app and then click Add:
- Click Add to progress to the next screen, and then Next to reveal your QR code.
Step 3: On your phone:
- Scan the QR code visible on your computer from Step 2. You will need to allow your phone to take photos while using the app to scan the QR code.
- If you are having trouble scanning the QR code, click on the Can’t scan image option under the QR code to manually enter the code and URL in the app.
Step 4: On your computer:
- Select Next. A notification is sent to the Authenticator app on your phone to test the account.
Step 5: On your phone:
- Approve the notification in the Authenticator app by entering the number shown on your computer, and then select Next.
Frequently Asked Questions
Why is the college adopting multi-factor authentication (MFA)?
Multi-factor authentication (MFA) is used by many organizations worldwide to protect their systems and user data. Implementing MFA makes it more difficult for a threat actor to gain access to college premises and information systems, such as remote access technology, email, and billing systems, even if passwords or PINs are compromised through phishing attacks or other means. The college is adopting it as part of its ongoing efforts to ensure the safety and security of our community.
I am a student who is also an employee of the college. When do I need to set up MFA?
All students who also work as an employee of the college will need to set up MFA between November 16 to December 9, 2022. This aligns with the enrolment of all GBC employees, including student employees.
Can I enroll in MFA early?
You can enroll in MFA as soon as you receive the email to register. For phase 1 (SMC and ITS), the process begins on November 14. For phase 2 (employees and student employees), enrolment is between November 16 to December 9. For Phase 3 (students), the process starts on December 5 onwards.
If I'm using a personal computer, can I still use MFA?
MFA is setup on your phone and can be used to authenticate you whether using a personal or GBC-issued computer, tablet or phone.
I have concerns about using MFA. How should I raise them?
MFA is an important step toward ensuring the cybersecurity of GBC systems and users. The Microsoft Authenticator app is solely used to authenticate your GBC account, and GBC has no access to your personal device(s) after you install the app. Should you have any cybersecurity-related questions or concerns, please email email@example.com
What does this change mean for accessing college applications like Outlook and MS Teams on my phone?
After you have set up MFA, you will be prompted to use MFA before you can access college applications such as Outlook or Teams. When accessing the same content on the Microsoft website (office.com), you will be signed out and have to provide your credentials and MFA before you can log back in and you will be asked to re-enter your MFA code every 16 hours.
Can I opt out of using MFA?
NO. To protect GBC systems and our users, we require all employees and students to use MFA when accessing designated college applications. MFA is being implemented to secure your data and accounts from malicious actors.
How can I learn more about cybersecurity?
Technical Support & Privacy Information
How can I access technical support for MFA?
Technical support is available by calling the Help Desk at 416-415-5000, ext. 4357 and selecting option 1 for MFA support.
What if my mobile phone or tablet does not support the Authenticator app?
The Microsoft Authenticator app is free and available for download from the Apple App Store and Google Play Store. If your phone or tablet can access one of these stores, you should have no issues downloading the Microsoft Authenticator app. If your devices are unable to download the app, please seek an exception by completing the form available at www.georgebrown.ca/exception
I’m trying to sign in and I need to select the number in my app that’s displayed on the sign-in screen, but the notification prompt from Authenticator is blocking the screen. What do I do?
Select the 'I can’t see number' option on the notification so you can see the sign-in screen and the number you need to select. The prompt reappears after 3 seconds, and you can select the correct number then.
How can I scan the QR code?
Click "Verified IDs" at the bottom right of the MS Authenticator app, then select "Scan a QR code".
How is my location information used and stored?
The Authenticator app collects your GPS information to determine what country you are located in. The country name and location coordinates are sent back to the system to determine if you are allowed to access the protected resource. The country name is stored and reported back to the college, but your actual coordinates are never saved or stored on Microsoft servers.
Is registering a device agreeing to give George Brown College access to my device?
Registering a device gives your device access to the college's services and doesn't allow the college to access to your device.
Do I have to provide TouchID or FaceID when opening the Authenticator app?
No. You can turn off TouchID or FaceID for the Authenticator app by taking the steps listed here.
Why can't I use text messages or voice calls to authenticate?
SMS and voice calls are not encrypted. This makes them easier to intercept and both are vulnerable to phishing attacks. Attackers can also trick the phone company's employees into transferring a phone number to the attacker’s SIM card, thus the SMS codes being sent to them instead of you. Authentication apps such as Microsoft Authenticator can work offline despite any outages by your phone carrier. The recent Rogers outage is one example where text messages or voice calls would not have been possible. Also, attackers usually target the weakest link in security and with MFA, SMS is the weakest link.
How can I learn more about the Authenticator app?
Please visit Microsoft's Authenticator app webpage for more information.
I have registered for MFA - why haven't I been asked to authenticate when I log in?
Although you have registered, you won’t be prompted to authenticate until the end of the enrolment period for all employees, on Dec. 9. Starting on that date, you will be asked to authenticate using the Microsoft Authenticator app before you login.
How often will I be prompted to authenticate?
Once you have successfully registered for MFA and the enrolment period is over (Dec. 9), you will be asked to authenticate when logging in. You will be prompted to re-authenticate every 16 hours when using web-based Microsoft applications (via a browser), or 24 hours when using locally installed versions of the applications (MS Teams, Outlook etc.).
What if an employee does not want to use MFA, but they don't qualify for an exemption?
As with all college policies, procedures and guidelines, employees will be expected to abide by the college’s MFA policy as part of their employment with the college. Employees who do not comply and do not have an approved exception will be subject to sanctions/discipline, which could include cancellation of contracts, being placed on an unpaid leave and/or disciplinary action up to and including termination.