You probably know that a good password is important, and perhaps SDU IT has asked you to change your password over time because it was not secure enough. But a good password alone is unfortunately not enough. Therefore, since 2020, SDU has operated with MFA (Multi Factor Identification) on SDU's units and using internal SDU services. MFA is the supplement to your secure password, where the combination of both password and another factor - typically your mobile phone - provides significantly greater security so that only you can log into your SDU account.
Due to current increased cyberthreats, we have an urgent need to tighten the framework for MFA.
This will mean that, depending on which unit you use at SDU and which services you wish to access, you will be required to take MFA more frequently than today.
This is a necessity and will require you to log in with MFA - perhaps repeatedly.
We are very sorry for the inconvenience this causes, but hope for understanding that SDU IT does what is necessary to keep SDU safe.
If you experience problems with the use of MFA, you must contact the Service desk on 6550 2990. Here we will do our best to help you well and possibly also get started in a process where we can bring your SDU IT equipment in a state where MFA does not become a daily bothersome factor.
A little more background on tightening the MFA:
Many Danish airports have just been severely affected by a hacker attack. The weeks before, it was Danish banks. Other universities, companies and public institutions have also been affected in recent weeks and months. And SDU is also a concrete target for hacker attacks.
One of the things hackers very actively go after is identities, or in other words your username and password. With that, they can enter SDU's systems disguised as you. And the hackers are so skilled and have tools that mean that even if they only start by being inside as an "ordinary user", they can easily crawl much deeper into SDU's IT systems and be destructive or whatever the motive is.
That is why we at SDU IT make an effort to take good care of your SDU identity. With due diligence, we want to ensure at all times that we are robust enough to withstand these attacks. But in order for us to do that, we will concretely have to make some strictures on MFA which may have minor or major impacts on your everyday life as an IT user at SDU.
MFA (Multi Factor Authentication) is the supplement to your secure password, where the combination of both password and another factor - typically your mobile phone - provides significantly greater security so that only you can log into your SDU account. At SDU, we have so far run a more "soft" version of MFA, where you were only required to log in if the systems assessed that you were in some risk scenarios. Unfortunately, we will have to tighten the framework for MFA to ensure that your SDU account is not misused.
This will mean that you may encounter MFA login more often - perhaps several times a day. Exactly how you are affected depends a lot on which PC or smartphone you use and which SDU systems you need to access. This affects both Windows, Mac and Linux computers, Android phones and iPhones as well as iPads.
Computers that are not controlled by SDU IT and do not run on SDU's internal network will be affected to a much greater extent than equipment that is set up and continuously updated by SDU IT. For the vast majority of users, there will only be an MFA login once in a while, but if you experience repeated MFA logins during a day, you should contact the Service Desk. Here we will do what we can to help you, depending on what exactly it is in your usage pattern or with your devices that you constantly encounter an MFA login.
If you are not already using an authenticator app on your phone for MFA login, you must set it up as soon as possible so that you get the most secure and good experience.
See how to set up authenticator app on your phone.
You can use your private phone for MFA without any problems. It works completely just as well as a SDU issued phone.
If the Microsoft Authenticator app IS ALREADY configured, go to step 7.
When you log on to a new computer with a new IP address or there is any other doubt about the identity of your user, Microsoft requires a so-called two-factor authentication.
Typically, you will receive an SMS with a code that has to be entered in order for your user account to be verified. This can be a problem if you have changed your phone number.
The Microsoft Authenticator app allows you to verify your account with an app instead of SMS.
1. Go to the page https://aka.ms/mfasetup and log in with your SDU username. Your username is your entire SDU email, and your password is the same one you use to log in in the morning.
2. Once you are logged in for the first time, you will be greeted by the message below.
3. Press ‘Next’.
4. You will now see the page below. Select ‘Mobile app’ from the top menu, then select ‘Receive notifications for verification’.
5. Press the blue ‘Set up’ button.
6. Download the ‘Microsoft Authenticator’ application to your phone and install it.
7. Select ‘Add new account’, then select ‘Work or school account’.
8. The camera opens inside the app and you can now scan the QR code on your computer. (The QR code below cannot be used, as it is only for the purpose of the guide.)
9. When the code is accepted, a 6-digit code is displayed. From now on, this is to be used when you need to authenticate a login from a new computer, if you are abroad, etc.
10. Press ‘Next’. Next to the blue ‘Set up’ button, you will see the message ‘Checking activation status’. Wait for this to finish. You will then get the message ‘Mobile app has been configured for notifications and verification codes’.
Be aware that this can take a long time. Do not close the window.
11. Press ‘Next’. You will now be asked to accept a notification on your phone in the Microsoft Authenticator application – see the image below. Press ‘Godkend’ (‘Approve’).
12. Once you have approved the notification, you will be redirected to the page shown in the image below. If the setup has been done correctly, your phone should appear at the bottom of the page.
13. Select ‘Notify me through app’ from the list at the top and tick the ‘Authenticator app or Token’ box at the bottom.
14. Press ‘Save’ if possible, otherwise the window can be closed.
15. The Microsoft Authenticator app is now set up, so the next time you log in from a new IP address, computer or similar, you will need to use the 6-digit code from the app instead of receiving an SMS.
1. Plug the YubiKey/FidoKey into your computer.
2. Go to MFA.sdu.dk.
3. Click on ‘Add login method’.
4. Select ‘Security key’.
5. Select the USB device, and the configuration can be completed.
In the future, you will be able to choose the YubiKey/FidoKey as the authentication method for logins when MFA is required.
The PIN for Windows 10 clients will be reset. SDU IT has switched to a more secure solution called ‘Windows Hello for Business’ and this requires a re-configuration. For more information on this, see the section at the bottom of the page: ‘Windows Hello in brief’
Please note the following: Once set up, it may take up to 30 minutes for the PIN to work. Legacy devices will not be affected by this and will continue to function as usual.
The next time you log in on your devices, you will be greeted as follows:
1: When you log in to your PC for the first time, you will see this image. Click 'OK’.
2: During setup, you will be asked to verify your identity through MFA authentication. It looks like this:
3: Now set up your new PIN, which must be 6 digits.
Some users will need to set up their fingerprint sensor. Simply follow the on-screen wizard.
4: Click ‘OK’ to proceed to the Desktop.
Windows Hello in brief
Windows Hello helps make the use of PINs on a Windows device more secure. Therefore, SDU IT has decided to use Windows Hello, which is a more modernised way of using fingerprint or other login methods. It’s one step closer to a future without passwords.
In addition, Microsoft has increased the minimum requirements for Windows 10 devices. This means that some devices with a legacy hardware system are unable to support Windows Hello.
Known errors/solutions
If your device does not support the new setup, the following screen is displayed.
Please don’t hesitate to reach out if your device uses legacy hardware or if you are in doubt whether your device is affected by this at servicedesk@sdu.dk or (+45) 6550 2990.
Notifier helps you keep your Mac updated. A notification pops up on your Mac when an approved update from SDU requires your attention.
The notifications will always appear as part of direct communication that is relevant for the Mac you are working on. The notifications may also simply inform you about changes on your Mac that may be relevant to you.
Some of the changes, we can install without you having to do anything, while others require action from you.
When you receive a notification requiring action from you, the icon below will always appear. That is your guarantee that the message comes from SDU IT.
The notifications can appear in slightly different versions. For instance, it can be an ’real’ notification in macOS’ notification center, which will ’pop up’ in the upper right corner of your screen:
It can also be an actual popup that requires an active action from you. An example could be updating macOS:
The final kind of notification you may receive, is a different kind of wizard guiding you through a series of steps or explanations for a challenge that we need your help to install. This could e.g. be enrollment of your Mac into JAMF, which is our tool for managing Macs at SDU.
MFA – Multifactor Authentication at login to IT solutions and services
SDU uses a multifactor authentication (MFA) for various IT solutions and service pages
When you need access to IT solutions and services, it is quite normal to provide a username and password. To optimise the security of some logins, we have a two-factor authentication which ensures that it is you who is logging in.
You are familiar with NemID/MitID, where in addition to your username and personal password you also need a cardboard card with codes or an app to access various services.
MFA at SDU works so that for different services you will be asked to provide extra confirmation after you have logged in with your SDU login (e.g. when logging in outside SDU’s campus)
You have the option of completing this additional login in three different ways:
1) Use the Microsoft Authenticator app. Recommended as it provides the best experience and you don't have to enter a long code.
2) Receive an SMS with a code
3) Receive a call where you need to confirm the login by pressing #Setting up the Microsoft Authenticator App
You will find a guide for installing and setting up your MFA app here.
MFA creation via login to Microsoft or SDU service (browser)
1: First login
The first time you sign in to a Microsoft service page or SDU page through your browser, you will be greeted by this message:
You will be asked if you want to create MFA now or postpone for 14 days – we recommend that you do it immediately
To create MFA, click on ‘next/næste’ and begin the setup procedure.
2: Select authentication type
Here you select ‘Phone number (authentication)’ and enter the phone number that you want to use.
Then choose whether you want to be called or receive a text message, and then click on ‘Contact me’
3: Approve registration
Your registration must be approved, and you will therefore receive a text message or a call (whichever you have chosen) and thereby approve the registration
Your MFA is now ready to use
You can also create you MFA at aka.ms/mfasetup
Sidst opdateret: 25.05.2023