Multi-Factor Authentication (MFA)

For many organisations Multi-factor Authentication (MFA) has been a requirement as part of the Data Security and Protection Toolkit (DSPT). NHS England has now requested that all organisations are compliant. Read more here.

Reasons why MFA should be used

Multi-Factor Authentication is one of the most effective ways to secure online accounts. It provides enhanced protection against a wide range of cyber threats, ensuring that your sensitive information remains safe. There are several reasons why MFA should be used, including;

1.  Enhanced Security – By requiring multiple forms of verification, even if an attacker obtains your password, they will still need the second form of authentication, such as a code from your phone making access much more difficult.

2. Protection Against Phishing - Phishing attacks aim to steal login credentials by tricking you into entering them on a fake website. With MFA, knowing your password is not enough for attackers. They would also need access to your second factor of authentication, which is typically much harder to compromise.

3. Mitigation of Password Theft - Passwords can be stolen through various means. MFA provides an additional layer of protection in case your password is compromised. Without the second factor, attackers cannot access your account.

MFA and EDGE

EDGE has two methods for MFA, Email or One-time code. Refer to the EDGE KnowledgeBase under the ‘Support’ tab when logged into EDGE, for more information on how to install MFA.

Tips for Effective MFA Use

  • Regular Updates: Keep the authenticator app and phone software up to date. If changing phones, ensure the authenticator app is transferred.

  • Monitor Account Activity: Regularly check your account activity for unauthorised access.

  • Use Strong Passwords: MFA is an additional layer, but a strong password is still important.

Account Updates

Forgotten passwords – These can be reset via the Forgotten password link (NB EDGE will temporarily lock an account after several failed password attempts).

Resetting passwords – As part of the updated security processes, Administrators will no longer be able to reset passwords on behalf of Users. Users can reset their passwords via the Forgotten password process or via their Profile > Identity service.

Usernames – As part of the updated security process, Administrators are no longer able to reset usernames of Users with active accounts. They will need to delete the Login and recreate it, so it is updated both on their profile page and our Identity service. We recommend that an email address is used for the username.

New accounts – When a new account is created, a password creation email will be sent. The link on the email is valid for 12 hours and allows the user to set the password for their new account. If the 12 hour window is missed, then the user will have their username in the welcome email and can use the 'Forgotten Password' functionality, accessed via the Login Page, to set their initial password.

MFA Profile – If you open your MFA account service via the link on your login page, you can view details on approved devices, access dates/times, and you can update your Password.

User Profile – Administrators can view what MFA method Users have chosen (If any) through User Profile > Login. They can also set an MFA Method on behalf of Users.

For any questions or help on MFA, please email edge@soton.ac.uk