Information Services Division


Multi-factor Authentication for all UCL staff

9 February 2021

In our continued effort to improve information security across UCL, we are making a series of changes to increase protection for all staff.
One of the first elements to be rolled out is to enable Multi-Factor Authentication across UCL.
This will initially cover access to Office 365 applications such as email and Teams and it will then be extended in the coming weeks to cover the UCL Virtual Private Network (VPN) and Desktop@UCL Anywhere services.
What is Multi-Factor Authentication?
Multi-Factor authentication, or MFA, is a feature that asks you for more than just your username and password when you log in. It requires something you know (e.g. your UCL password) plus something you have (like your phone or a token). It’s another layer of protection that stops others from accessing your account, even if they stole your password. Because of the security benefits provided by MFA, we will be introducing it to give an additional layer of protection for our core services and data.
Attacks are on the increase across the higher education sector and recently two universities have fallen foul of these intrusions which resulted in them being unable to operate for a significant period. We are keen to reduce the risk of something similar happening at UCL.
The university holds a large quantity of personal data, for both staff and students, as well as confidential research data with commercial value, which an industry standard technology such as MFA can help protect. 
The heightened public awareness of UCL's research work in response to COVID-19, and the fact that most of us are working online means there is a greater risk of successful attack which could lead to data breaches and unauthorised system access.
What is the approach?
Following a successful pilot and rollout to Professional Services, the project now plans to introduce MFA across the rest of UCL with the aim of having all staff enrolled by Easter 2021.
What will this mean for me? 
The implementation of MFA will mean that an extra authentication step may be required when accessing Office365 applications.

Initially, you will receive an email from the MFA project mailbox asking you to register for Multi Factor Authentication.
If you have accessibility requirements and have been invited to register for MFA, please email the MFA project directly if you have any queries. 
When will this be taking place? 
The rollout of MFA will be done in batches, commencing this week (8th February 2021) with Brain Sciences, and will continue over the next few weeks. Look out for the email inviting you to sign up for MFA.  If you were enrolled as part of the Professional Services pilot, you will not be asked to re-enrol.
Where can I find out more?
Further information, a list of FAQs and an explanatory video can be found on the Stay Secure area of the ISD website.

If you have any other questions, please contact your local IT support or you can email the MFA project team directly.
Thank you.
MFA Project Team