LFS:Ecwl
For many years, faculty and staff have been able to login to most UBC web applications with just their CWL username and password, regardless of physical location, risk profile, or information they are accessing. This is a substantial risk, as anyone in possession of stolen CWL credentials can access all information available to that user. UBC has seen the need to add another layer of authentication to ensure its private and sensitive information is kept secure.
It has become increasingly important to protect our student, staff and financial information, as cybercriminals are consistently targeting this data. Implementing multi-factor authentication technology is UBC's best protection against stolen credentials and is a key mitigating tool against spam/phishing emails. Having an Enhanced CWL is already mandatory for high-risk staff in certain areas. All UBC faculty and staff will be required to have an Enhanced CWL by November 2019. At LFS, the onboarding for staff and faculty will start after the community meeting on June 20, 2019 and the onboarding will be completed by November 2019.
What services will be affected?
All services and applications that require a CWL and password to access will now also require a second factor of authentication at the initial login. This includes Virtual Private Network (VPN), Outlook Web Access (mail.ubc.ca), and any CWL-authenticated Web Application (e.g. ServiceNow, SharePoint, Canvas, Qualtrics, etc.). You are required to have at least 1 of the below options for authenticating your login. However, for added security, you may add as many levels of authentication as you deem necessary.
1. The Duo Mobile application:
The Duo Mobile application can be downloaded on your cellphone to authenticate your CWL login. It can be used to get a push notification to approve your authentication (requiring internet connection) or to get a 6-digit token that acts as an OTP for authenticating your login (does not require internet connection).
2. Phone call:
You can register your landline and cellphone phone numbers with the MFA system. While logging in, you can select from the multiple registered phone numbers to receive a phone call (the last 4 digits of the phone number will be visible on your login screen). By pressing the keys on your phone dial pad as instructed by the automated voice on the phone call, you can authenticate your CWL login.
3. Physical Tokens:
You can buy physical tokens at the Staff & Faculty purchasing desk at the rear of UBC Bookstore. The physical tokens are of 2 kinds: a ‘traditional dongle’ (token with a button and a read out screen for $10) or a ‘connected token’ (small USB device connected to your computer for $25). The traditional dongle will require you to manually read and enter the 6-digit code whereas the connected token fills it for you automatically.
Registering your authentication method
Registering your Phone number and Duo Mobile application (anticipated as the best strategy)
1. Login to the MFA Device Management Website. Using your CWL username and password, login to the Self-service MFA Enrollment and Device Management website at https://mfadevices.id.ubc.ca Click ‘Start setup’ to begin enrolling your phone number/application.
2. Choose Your Authentication Device Type: Select the type of device you'd like to enroll and click Continue. We recommend using a smartphone for the best experience, but you can also enroll a landline telephone, a security key, or iOS/Android tablets.
3. Enter Your Phone Number: Select your country from the drop-down list and type your phone number. Use the number of your smartphone, landline, or cell phone that you'll have with you when you're logging in to a Duo-protected service. You can enter an extension if you chose "Landline" in the previous step. After entering the phone number, double-check that you entered it correctly, check the box, and click Continue. If you don't want to share your phone number, use the "Tablet" option even if you are using a smartphone. This allows you to use the Duo Mobile application without having an associated phone number.
4. Choose Platform: Choose your device's operating system and click Continue.
5. Install Duo Mobile App: Duo Mobile is an app that runs on your smartphone and helps you authenticate quickly and easily. For the best experience, we recommend that you use Duo Mobile over phone calls as your authenticator. Follow the platform-specific instructions on the screen to install Duo Mobile. After installing our app return to the enrollment window and click I have Duo Mobile installed.
6. Activate Duo Mobile: Activating the app links it to your account so you can use it for authentication. On iPhone, Android, and Windows Phone activate Duo Mobile by scanning the barcode with the app's built-in barcode scanner. If you do not want to scan the barcode, or it does not work, click "Email me an activation link instead". The "Continue" button is clickable after you scan the barcode successfully.
7. Success! You are now successfully enrolled with Enhanced CWL and Multifactor Authentication. Once you are enrolled you can manage any of the authentication methods associated with your account, including adding or removing a device.
Registering your physical token
1. Once you obtain a physical token, login to https://mfadevices.id.ubc.ca/secure/tokens. Enter your CWL ID and password. If you are registered for MFA authentication using your phone number, Duo app or a token, you will be asked to authenticate your login.
2. Enter the serial id on the back of the token in the entry box on the screen. Click on ‘Submit Token ID’ to register the token with your CWL ID.
3. Your token will now be registered. You can manage your devices via device management at https://mfadevices.id.ubc.ca/
Steps for using the authentication methods
Using the Duo mobile app
Duo Push
1. Enter your CWL ID and password on your login screen
2. Click on 'Send Me a Push'
3. A notification will appear on the screen of your enrolled device (depending on the security settings of your device you may be required to unlock your device using your passcode or biometrics)
4. Tap 'Approve' and the authentication screen will be released, allowing you to use the application or service as usual
5. Tap 'Deny' and the authentication screen will indicate that the login request has been denied and the authentication screen will not be released
6. You will have 60s to respond to a 'Push', if no response is received in that time the request will time out and you will have to send another 'Push'
One-time Passcode
1. Enter your CWL ID and password
2. Click on 'Enter a Passcode'
3. Open the Duo mobile app
4. Tap on the account you want to access to get your code
5. Enter the 6-digit code in the empty field on the authentication screen of the application or service you are attempting to access
6. Click 'Log In' and the authentication screen will be released, allowing you to utilize the application or service as usual
7. Passcodes expire every 60 seconds. If your request times out, tap on the refresh icon to the right of the pass code and a new set of numbers will appear
Using a Phone Number (mobile or landline)
1. Enter your CWL ID and password on your login screen
2. Click on 'Call Me'. The authentication request will call the phone number that is registered with your account. You will know which number is being called as the authentication screen will indicate the last 4-digits of the phone number. If multiple numbers are registered, you may select the phone number you want to receive the call on.
3. Answer the call. A recorded voice will instruct which key to press on your phones key pad to proceed.
4. Press the key. The authentication screen will be released, allowing you to use the application or service as usual.
5. If you answer the call but do not press a key, the authentication screen will indicate that no keypress was detected and will require you to attempt the call again
6. If you deny the call the authentication screen will indicate that the request has been cancelled
Physical Token
Traditional 'dongle' (token with button and read-out screen)
1. Enter your CWL ID and password
2. Click on 'Enter a Passcode'
3. Press the button on your token
4. Enter the 6-digit code in the empty field on the authentication screen of the application or service you are attempting to access
5. Click 'Log In' and the authentication screen will be released, allowing you to utilize the application or service as usual
6. Pass codes expire every 60 seconds. If your request times out, press on the button of the token again and a new set of numbers will appear
Connected Token (token connected to the USB port of your computer, e.g. Yubikey)
1. Enter your CWL ID and password
2. Click on 'Enter a Passcode'
3. Press the button on your connected token
4. A 6-digit code in the empty field on the authentication screen of the application or service you are attempting to access will automatically be entered
5. Click 'Log In' and the authentication screen will be released, allowing you to utilize the application or service as usual
6. If your request times out, press on the button of the token again and a new set of numbers will appear
Whether or not you will be asked to authenticate for a particular login session will depend upon your 'context'.
For example, if you are attempting to login to an application that contains confidential and/or sensitive information, it is highly likely that a second factor of authentication will be required each time you login to that application. Alternatively, if you are attempting to login to a system or application that does not necessarily contain highly sensitive or confidential data, but you are attempting to access that application or service from off-campus or during non-regular business hours, you may still be required to present a second factor of authentication before proceeding. You can check the ‘Remember me’ checkbox while logging in to a certain portal. However, this feature uses ‘cookies’ and may reset according to your web browser’s settings. This also means that every new device (ex. Desktop, laptop, mobile phone and tablets) you use to login to the same portal will require multi-factor authentication.
Note: If you forget your registered device (your cellphone or token) at home, you can still login with the help of the IT Service Centre. Contact details for the IT Service Centre are at https://it.ubc.ca/got-question-about-it-products-and-support. This includes support when your token runs out of battery or your device is damaged.
If you have lost a registered device (cellphone or token), contact the IT Service Centre immediately to ensure no unauthorized access takes place.
Signing in to the Virtual Private Network (VPN) for Off-campus access
UBC’s Cisco AnyConnect Client provides the VPN connection for off-campus access to many key UBC portals and cloud storage. The login process for the VPN changes slightly when Multi-factor authorization has been activated:
1. Open the Cisco AnyConnect Security Mobility Client
2. Enter your username and the VPN pool you wish to connect to along with your password
- The new additional step is to type “@” after your username along with how you want to authenticate.
Duo App | Enter username.vpnpool@app (or username@app, depending on which VPN you are using) if you wish to authenticate using your smartphone |
Phone Call | Enter username.vpnpool@phone (or username@phone, depending on which VPN you are using) if you wish to authenticate by a phone call either to a landline (deskphone) or mobile phone |
Passcode | Enter username.vpnpool@****** (or username@******, depending on which VPN you are using) if you wish to authenticate using a passcode generated by a hardware token or a soft token using the Duo app.
Please note: The * indicates the unique code generated for a particular authentication instance. Enter the numbers as they appear on your token after @, not the actual asterisks). |
- If any information is entered incorrectly or forgotten you will see an error message reminding you of the extra information required to authenticate
3. Once entered correctly, an authentication request will be sent to your method of choice
- You will not see a separate message on the AnyConnect client specifying that a response is waiting
- You will know that the authentication has been approved when the AnyConnect dialog box changes to “Establishing VPN Session”
4. Once a connection is established you will be able to proceed as usual
The AnyConnect client will recall the information entered from your previous session.
If you authenticate with Enhanced CWL using the same method for each request, you will simply:
1. Open the Cisco AnyConnect Security Mobility Client
2. The username and method of authentication will already be populated
3. Enter your password and click ‘Okay’
4. An authentication request will be sent to the method specified
5. You will know that the authentication has been approved when the AnyConnect dialog box changes to “Establishing VPN Session”