What is MFA?

Multi-factor authentication (MFA) adds a second layer of security to your login process; in addition to your password, a second factor such as the Okta app on a smartphone, a text message, phone call or portable key will be used to verify your identity.

What is Okta?

Okta is the cloud based single sign-on (SSO) provider that Colby uses.

What is SSO?

Single sign-on (SSO) is a process that allows non-Colby services, like Google Suite and Adobe, to authenticate users via their Colby account without sharing the Colby username and password with that service.

How do I enroll in Okta?

All Colby accounts are pre-staged within Okta.  To finish the enrollment process you can follow the steps outlined here.

How do I enroll in MFA?

You can enroll in multi-factor authentication (MFA) by following the steps outlined here.

What do I need to do if I access or manage a shared email address?

If you access or manage a shared email address like baseball@colby.edu or payroll@colby.edu, you do not need to configure MFA for the shared account before June 1st.  ITS will be reaching out to the managers of these accounts in the near future to discuss next steps.

What if I lose my MFA factor(s)?

ITS strongly recommends configuring more than one factor, such as the Okta Verify app plus a text message (SMS) number plus a phone number. If you lose your or do not have access to all of your factors you can contact the ITS Support Center at 207-859-4222 and we can assist you in getting access to your account and configuring new factors.

How often will I have to use MFA?

Different non-Colby services, like G-Suite and Adobe, have different re-authentication times. Some services may only ask you to provide your multi-factor authentication (MFA) once ever few weeks, whereas others may ask you to provide your MFA every few hours. ITS recommends that you keep your multi-factor authentication method with you at all times to accomidate for every scenario.

What will the new Google sign-on experience look like?

When you are prompted to authenticate to Colby’s Google Suite, instead of seeing the Google sign-on dialog as you do today, beginning February 17th you will be directed to Colby’s Okta portal to authenticate. Beginning March 24th, a second factor – a temporary six digit code – will be required in addition to your account name and password. The code can be delivered in several ways, including text message, smartphone app, USB token, or a phone call. Alternatively, the Okta Verify app on a smartphone or tablet can receive ‘push’ requests that do not require you to type the code. You can select which method to use, and then enter the code that is provided to you.

What exactly is Colby’s Google Suite?

Colby’s Google Suite represents all of the Google services associated with your @colby.edu account – these include Gmail, Google Drive, Google Docs, Google Sheets, Google Slides, Google Forms, Google Calendar, Google Sites, Google Hangouts, Google Keep, Google Vault and Jamboard.

How often will I be prompted for my second factor?

Each time you authenticate (sign in) to your @colby.edu Google Suite account. For most users, this occurs a few times each month on their personal computers/web browsers. Smartphones and tablets rarely require re-authentication after their initial setup. Think of the most recent times you have had to enter your account credentials to Google, such as signing in to a web browser, or setting up Google on a smartphone. After March 24th, these sign-on events will require a second factor.

What if I use a mail client like Outlook or Mac Mail to read my email?

If you’re already using a mail client or a smartphone/tablet application, you should not notice any change. If you are configuring a client for the first time or if you are required to re-authenticate, then you will be prompted for authentication that includes MFA.

What about Gmail and Google Calendar on my smartphone or tablet? Will I have to use MFA there too?

Generally, no. Smartphone and mobile devices are remembered, or ‘tokenized,’ and do not require authentication after initial set up with a Google account. Sign-on and MFA are required on a new device during setup, so it is important to be prepared to manage MFA when changing or getting a new device. The ITS Support Center can assist with this process.

If I am signed in to Gmail and open another app like Google Drive, do I have to sign in or MFA again?

No, once you are authenticated to Google inside of a web browser or a mobile device, you will not be prompted to sign in again when accessing other Google services or connected apps. This is the same as it is today.

If I am signed in to MyColby and click the GMail link from there, will I have to authenticate again with MFA?

Currently, yes. Following any link to an application like GMail in the Google Suite currently requires authentication via Google. As part of this change, this sign-on will go through Okta and soon require MFA as well. It is anticipated that MyColby and other Colby websites’ sign-on will be migrated to Okta as well later on in 2020, which will further streamline the sign-on experience to more Colby services.

I need options - can I receive a second factor in more ways than one?

Yes. ITS strongly recommends configuring several methods of receiving your MFA code – a phone call, text message, and smartphone app are all recommended options. Having options is not only convenient, it provides an alternate means of retrieving a code should one method not be available.

I currently use Duo for MFA on Colby services - what happens to Duo?

Existing Duo users can select Duo as their Okta MFA requirement instead of or in addition to Okta verify.

Why should I use SMS (text message) if I already have the Okta Verify app on my phone/tablet?

The Okta Verify app is the easiest way to authenticate using MFA because it supports ‘push’ technology – your phone will ask if you are signing on and you only need to acknowledge it – no typing required. If something isn’t working right with the app, having your cell phone number as a backup method assures that you can still obtain the code.

Does the Okta Verify app require a cellular data or Wifi connection?

The Okta Verify app, when configured on a smartphone or a tablet, will continue to provide numeric multi-factor codes without a data connection or while the device is in airplane or offline mode. When prompted by your Okta logon, simply enter the 6-digit code shown in the app.

The 6-digit codes will refresh/update ever 30 seconds, the bar at the top of the application is a visual representation of the timer.

Push notification functionality in the Verify app do require a network connection.

What if I can’t get my MFA code (I don’t have my phone or any other method)?

The ITS Support Center (support@colby.edu or 207-859-4222) can assist in accessing the account and resetting factors.

I have Google 2-step authentication set up on my Colby Google account and/or my password is different than my main Colby account - what will happen?

Because authentication will be directed through okta.colby.edu, you will no longer use Google 2-step or a unique password to access Colby’s Google domain. There is nothing additional that you need to do other than prepare your Okta account with MFA.

Can I test/try this before it is required?

Yes, and ITS recommends that you do so. You’ll need to configure your MFA settings using these instructions. After that, you can use the ‘MFA Test’ app on the Okta portal to experience MFA sign-on. Once the change has been made, this is the same experience you will have when signing on to Colby’s Google Suite.

What if someone steals my phone or my MFA token? Can MFA be hacked?

In order to gain access to your account(s) an attacker would need your password and access to one of your MFA tokens, like your smartphone or telephone extension. MFA ‘hacking’ would typically involve intercepting a code, such as a text message or phone call. It is possible, but very difficult to do.