Multi Factor Authentication (MFA)

If you are looking specifically for installation instructions please read Installing an MFA App for the first time

Introduction

What is MFA?

MFA is a system that uses more than one security measure, also known as a ‘factor’, to prove your identity when accessing ADELE (O:S). The first factor is your name and password combination. The second factor is an application on your computer or mobile phone that provides you with a time-based code that you must enter before being able to access the system.

MFA is required to guard against situations where your name and password have been compromised. Even if a cyber-criminal were to get your name and password, they would not be able to log in to ADELE (O:S) without the device containing your MFA app.

Why do we have MFA?

Due to the higher security clearance of ADELE (OFFICIAL: Sensitive) compared to the old ADELE (UNCLASSIFIED) we are now required by the Information Security Manual (ISM) controls to protect the system through Multi Factor Authentication. Please note that this is a legal requirement and cannot be ‘turned off’ for individuals. If you already understand what MFA is and why it is required, please jump head to the Selecting your MFA app section below.

Ready to set up your App?

If you feel ready to start the process now, click on the Set up MFA button.

Why should I use MFA?

Users of online services, systems and privileged access to data repositories are more likely to be targeted by malicious actors due to their access. ADELE (O:S) contains sensitive content that could impact Defence functions, or the safety and reputation of an individual. ADELE (O:S) utilises an authentication app that generates a random time-based one-time password (TOTP) method, since other authentication factos are more susceptible to compromise than others. Before accessing the ADELE (O:S) system and its resources, it is essential that you as a user are authenticated.

Why is MFA not required on the DPE?

MFA setup is required for all ADELE accounts to secure against unauthorised access. That being said, users within the DPE are whitelisted from needing to enter a code to login to ADELE. This is because there is already a second ‘factor’ in use on the DPE; if you are at work, then you would have had to access the building using your ID card, as well as log into the DPE. If you are at home, you would have to be using DREAMs and therefore used a DREAM token to access the system. In both cases we use the fact that you must have identified yourself to the DPE as the additional factor. Note this still means you will need to setup MFA to secure your account. If you are unable to setup MFA because your deployment or posting conditions essentially negate you from having any personal device for a prolonged period you can request an exemption from MFA setup entirely with supervisor approval and justification; privileged users cannot be exempted from MFA requirements.

What you should avoid doing with MFA enabled on your device

Never share your 6-digit code to anyone.
Never share your device with anyone.
Never connect your device to a public WiFi.
Never connect your device to a wired cable that does not belong to you.
Do not leave your device unattended - make sure to lock your device where possible.
Do not allow your device to autosave your credentials/master password for your authenticator.

NOTE: The ADELE Team will never ask for your 6-digit code - the code will only be asked for when you are logging into the ADELE (O:S) system.

Top

Selecting your MFA App

There are many different MFA apps and the one you select will depend on the type of device you want to use, the operating system on that device and whether you want extra features.

If you already use an MFA app to access other systems, such as VERA, we recommend that you simply add ADELE (O:S) to that that app.

If you do not already have an MFA app then, as administrators of the system, we recommend using Google Authenticator as it is very simple to use and is freely available.

Click the appropriate link for your device and a QR-code for the Google Authenticator app will display.

Top

How to use your MFA app to access ADELE (O:S)

When you log in to ADELE (O:S) from any non-DPE computer you will need an MFA app. It works like this:

Access ADELE (O:S)

First you need to access the system at ADELE (O:S).

Login

You then enter your name and password in the fields provided.

MFA Code

ADELE (O:S) MFA screen with entry box for access code

The MFA page will ask you to enter a six-digit code.

Your MFA App

Google Authenticator on a Android phone showing the current code and countdown timer.

Open the MFA app on your device to access the current code. Note that the code changes every minute, and you will see a countdown timer showing how long you have left to enter the code.

Enter Code

Type in the code and hit the enter key.

Access granted

You will then be taken to the ADELE (O:S) home page.

PLEASE NOTE:

Your code only lasts 24 hours - You will need to enter a new, different code each day, so do not delete the authenticator app.

Your code will not be sent via SMS - you must use the app. SMS messages are too easy to intercept and are inherently unsecure. Please note that even if your authenticator app offers the choice of SMS, ADELE (O:S) does not support that option.

Your Codes are time sensitive - Each code will only last for a minute or so. Each app will show some form of countdown timer and you will need to enter the code before the time runs out. If you don't have enough time, wait for the timer to run out and the app will generate a new code.

Top

Installing an MFA App for the first time

Whether you install a new app or already have an MFA app available, your app will need to be set up to work with ADELE (O:S). If you are a new user of ADELE (O:S) you may have a grace period where you are not forced to immediately set-up your MFA app. However, once your grace period expires you will be locked out of ADELE (O:S) until you complete the MFA set-up.

We recommend you set up your MFA app sooner rather than later. That way, if you do have issues, you will still be able to use your grace period to access ADELE (O:S). If you wait until the last moment to set up your MFA app you may inadvertently lock yourself out of the system just before an assignment is due or a virtual classroom session is about to start.

Ready to set up your App?

If you feel ready to start the process now, click on the Set up MFA button.

Use QR Code
Use Setup Key

Click the images to see an enhanced view of each step.

1 MFA Banner

The message that will appear when MFA has not been set up.

When you log on to ADELE (O:S) a banner will be displayed. You will be requested to set up your MFA app, and informed of how much grace period you have left before you are required to set up MFA.

Click the Set up MFA now button to begin the process. Alternatively, click your name in the top right of ADELE and choose Preferences. When the Preferences page appears, select Multi-factor Authentication from the bottom of the User account list.

2 Available Factors

The Available Factors page provides a button to allow you access the MFA Setup page

3 Device Name

This page has two required fields. It is these fields that cause the most issues for people. The first is at the top called Device Name. You can enter anything here that will remind you which device and/or MFA authentication system you will connect to.

In this case I will be using Google Authenticator on my phone. Therefore, I will name my Device: Google Authenticator My Mobile.

4 Open MFA app

You now need an ADELE (O:S) entry in your chosen MFA app. Open your MFA app.

5 Add Account

You now need an entry for ADELE (O:S) in your MFA App. In Google Authenticator press the coloured plus symbol to create a new entry.

6 Use QR Code

You will now have a choice to select either QR-Code or enter manually enter a key code. QR code method is the easiest so we will look at that one first.

NOTE: If you are using an app other than Google Authenticator it may offer additional methods of activation such as SMS. Please do not use the additional methods as ADELE (O:S) may not be able to comply with the other methodologies. Please only use the QR code or the Manual key methods.

7 Scan the QR

Point your device at the QR code on your screen. The MFA app will read the QR code automatically and add an ADELE LMS www.adele.edu.au entry to the MFA app.

8 View Account

The app will show an Account Added page. However, we still need to confirm the MFA App with ADELE (O:S).

We do this by using the code that the MFA App has generated.

9 Enter Code

There is a field on the ADELE (O:S) form called Enter verification code for confirmation. Enter the code shown on the device into the field and press the Save Changes button.

10 Select Add Account

Return to the app and you can now click the Add Account button.

11 Account List

The main screen of the app shows a new code every minute. The amount of time left before that code changes is indicated by the small blue countdown timer.

12 Review List

Finally review the information in ADELE (O:S)

1 MFA Banner

When you log on to ADELE (O:S), a banner will be displayed. You will be requested to set up your MFA app and informed of how much grace period you have left before your are required to set up MFA.

Click the Set up MFA now button to begin the process. Alternatively, click your name in the top right of ADELE (O:S) and choose Preferences. When the Preferences page appears, select Multi-factor Authentication from the bottom of the User account list.

2 Available Factors

The Available Factors page provides a button to allow you access the MFA Setup page

3 Device Name

In this case I will be using Google Authenticator on my phone. So, I will name my Device: Goggle Authenticator My Mobile.

4 Open MFA app

You now need an ADELE (O:S) entry in your chosen MFA app. Open your MFA app.

5 Add Account

You now need an entry for ADELE (O:S) in your MFA App. In Google Authenticator press the coloured plus symbol to create a new entry.

6 Enter a setup key

You will now have a choice to select either QR-Code or enter manually enter a key code. In this example we will be using the set up-key

7 Manual entry form

A form opens in the app to allow you to enter the details manually. The details you need are on the ADELE (O:S) setup page, but do not show automatically.

8 'Can't Scan' button

Back on the ADELE (O:S) screen we have a Can't Scan button. Click this button and ADELE (O:S) will show you all the details you require to setup your MFA app manually.

9 Extra Info

The three pieces of information are the Secret key which is used to by the MFA app to look up and connect to the ADELE (O:S) system, the Account, which identifies the system (ADELE LMS) and your account name, and the Mode of authentication, and for ADELE that is always Time-based.

10 Account Name

The first field in the app is the Account name field. This name will be used on the main screen of the MFA app to identify for which system that account provides access. In this case I will enter the Account name as ADELE (O:S).

11 Setup Key

The next field is the Setup key. This is where you need to enter the Secret key from the ADELE screen.

12 Type of Key

The final option is a dropdown control called Type of Key. As noted on the ADELE setup screen the inbuilt option is Time-based, so we need to match this here. In Google Authenticator time-based is the default option but be aware that other MFA apps may have different defaults and you will need to look for and select the Time-based option.

13 Select Add

Double check your entries and when you are satisfied that they are correct, select the Add button

14 View Account

The app will show an Account Added page. However, we still need to confirm the MFA App with ADELE.

We do this by using the code that the MFA App has generated.

15 Enter Code

There is a field on the ADELE form called Enter verification code for confirmation. Enter the code shown on the device into the field and press the Save Changes button.

16 Account List

The main screen of the app shows a new code every minute. The amount of time left before that code changes is indicated by the small blue countdown timer.

17 Review List

Finally review the information in ADELE

DO NOT DELETE THE MFA APP

From now on, you will need the app to access ADELE (O:S). Each use of the MFA code grants 24 hours access to ADELE (O:S). After 24 hours you will need to access the app again to get a new code.

Top

When your MFA App goes wrong

ADELE (O:S) won't accept my MFA code anymore

There are a few reasons why this might happen. Firstly, double check that the code has not rolled over since you entered it. If the code rolls over the old code is no longer and will not be accepted.

Next, double check that you are using the correct device and the correct Authenticator app.

If you are sure that you are on the correct app, the next thing to check is the time on your PC and the time on your device. If the time is markedly different on the device and your computer, then you will not be able to generate a valid code. Most devices will automatically sync to internet time. Problems can still occur, however, if your computer thinks it's in a different time zone to your mobile device.

If you have corrected those issues and are still unable to generate a valid MFA code, please contact support@adele.edu.au to have your MFA app reset. This will erase the current pairing and allow you to create a new pairing.

Can't set up app. The Set-up page keeps coming back with errors

The most common cause for the set-up page failing is forgetting to enter the account name at the top of the page. This is a mandatory field, and the set-up process cannot proceed without an account name.

Some people find that even after correcting that issue the page still fails to save.

It is likely that the reason for the second failure is that the verification code on the MFA app has rolled onto a new number - invalidating the number that was originally entered into the page.

If you are struggling at this step. Please delete everything that has been entered into the page and start again. First enter the account name, then check your MFA app for the current code, then enter the code into ADELE (O:S) and then select Save Changes immediately.

I haven't received my SMS message

ADELE (O:S) does not use SMS for MFA. The only form of MFA that ADELE works with is Time-based code generation. If you have used a different authenticator that does allow you to select SMS as an option you will need to either change your MFA settings to be time-based, or you will need to contact support@adele.edu.au to have your MFA reset.

Help! I deleted my MFA app!

If you have deleted your MFA app there is unfortunately no easy way to get it back and sync it back up to ADELE (O:S). The simplest solution is to contact support@adele.edu.au to have your MFA App reset and start from the beginning.

I have a new mobile device

If you have a new mobile device, you will not be able to simply load the app and expect that your accounts will still be there. There are some MFA apps that do that, such as Authy, however most of the MFA apps do not.

When you have a new device, you will need to send an email to support@adele.edu.au asking to have your app reset. Once your app has been reset you will be able to link your new device using the steps on this page.

What you should do to mitigate risks for your MFA device

Enabling a master password for your multi-factor authentication - lock your mobile device and authenticator app after multiple failed attempts
Install mobile phone security software to keep your device secure, such as Trend Micro Mobile
Lock your mobile device and authentication app after multiple failed attempts - this will no longer allow the user to re-attempt entering the password or code.
Keep your authenticator app up-to-date - updated versions of the app can provide enhanced backend security.

Risks of losing your device with MFA

There are currently a few scenarios to consider when your phone is missing:

Lost phone
Stolen phone
Compromise phone

What you should do if the one of the above takes place:

Contact ADELE Support as soon as possible to revoke the authentication app on your device. This is so that codes that will be used from the authenticator app will no longer be valid and to connect your account to another one of your devices.
Report your device to ADELE Support and to your supervisor.
Contact ADELE Support if you received unknown sign-in/password reset attempts to your email address.

Top