test faqs

What secondary options are available if I do not want to download the Duo Security app?
If you prefer not to use your personal phone, or you do not own a compatible device, there are alternate methods of authenticating available. You can choose to enroll and receive a text message or call to your cell phone, you can receive a call to your desk phone, or you can use a hardware token to enter a unique passcode to authenticate. For more information regarding hardware tokens please see the Tokens section.

Once a connection for a particular VPN session has been established you will not be challenged with an authentication request for any other application or service while securely connected (unless you are attempting to access an application that contains confidential or highly secure information).

To connect to VPN with an Enhanced CWL, follow the steps below or watch the video.

1. Open the Cisco AnyConnect Security Mobility Client

   

2. Enter your username and the VPN pool you wish to connect to along with your password
   • The new additional step is to type “@” after your username along with how you want to authenticate.

     

     Duo App	Enter username.vpnpool@app (or username@app, depending on which VPN you are using) if you wish to authenticate using your smartphone
     Phone Call	Enter username.vpnpool@phone (or username@phone, depending on which VPN you are using) if you wish to authenticate by a phone call either to a landline (deskphone) or mobile phone
     Passcode	Enter username.vpnpool@****** (or username@******, depending on which VPN you are using) if you wish to authenticate using a passcode generated by a hardware token or a soft token using the Duo app. Please note: The * indicates the unique code generated for a particular authentication instance. Enter the numbers as they appear on your token after @, not the actual asterisks).

   • If any information is entered incorrectly or forgotten you will see an error message reminding you of the extra information required to authenticate

     

3. Once entered correctly, an authentication request will be sent to your method of choice

   

   • You will not see a separate message on the AnyConnect client specifying that a response is waiting
   • You will know that the authentication has been approved when the AnyConnect dialog box changes to “Establishing VPN Session”

     

4. Once a connection is established you will be able to proceed as usual

The AnyConnect client will recall the information entered from your previous session.

If you authenticate with Enhanced CWL using the same method for each request, you will simply:

1. Open the Cisco AnyConnect Security Mobility Client
2. The username and method of authentication will already be populated
3. Enter your password and click ‘Okay’
4. An authentication request will be sent to the method specified
5. You will know that the authentication has been approved when the AnyConnect dialog box changes to “Establishing VPN Session”

You will experience one of the following login experiences depending on your chosen method of authentication:

Using the Duo mobile app

• Duo Push
  • Enteryour CWL ID and password
  • Click on 'Send Me a Push'
  • A notification will appear on the screen of your enrolled device (depending on the security settings of your device you may be required to unlock your device using your passcode or biometrics)
  • Tap 'Approve' and the authentication screen will be released, allowing you to utilize the application or service as usual
  • Tap 'Deny' and the authentication screen will indicate that the login request has been denied and the authentication screen will not be released
  • You will have 60s to respond to a 'Push', if no response is received in that time the request will time out and you will have to send another 'Push'
• One-time Passcode
  • Enter your CWL ID and password
  • Click on 'Enter a Passcode'
  • Open the Duo mobile app
  • Tap on the account you want to access to get your code
  • Enter the 6-digit code in the empty field on the authentication screen of the application or service you are attempting to access
  • Click 'Log In' and the authentication screen will be released, allowing you to utilize the application or service as usual
  • Passcodes expire every 60 seconds. If your request times out, tap on the refresh icon to the right of the pass code and a new set of numbers will appear

Using a Phone Number (mobile or landline)

• Enter your CWL ID and password
• Click on 'Call Me'
  • The authentication request will call the phone number that is registered with your account
  • You will know which number is being called as the authentication screen will indicate the last 4-digits of the phone number
• Answer the call
  • A recorded voice will instruct which key to press on your phones key pad to proceed
• Press the key and the authentication screen will be released, allowing you to utilize the application or service as usual
  • If you answer the call but do not press a key, the authentication screen will indicate that no keypress was detected and will require you to attempt the call again
  • If you deny the call the authentication screen will indicate that the request has been cancelled

Physical Token

• Traditional 'dongle' (token with button and read-out screen)
  • Enter your CWL ID and password
  • Click on 'Enter a Passcode'
  • Press the button on your token

  • Enter the 6-digit code in the empty field on the authentication screen of the application or service you are attempting to access
  • Click 'Log In' and the authentication screen will be released, allowing you to utilize the application or service as usual
  • Pass codes expire every 60 seconds. If your request times out, press on the button of the token again and a new set of numbers will appear
• Connected Token (token connected to the USB port of your computer, e.g. Yubikey
  • Enter your CWL ID and password
  • Click on 'Enter a Passcode'
  • Press the button on your connected token
  • A 6-digit code in the empty field on the authentication screen of the application or service you are attempting to access will automatically be entered
  • Click 'Log In' and the authentication screen will be released, allowing you to utilize the application or service as usual
  • If your request times out, press on the button of the token again and a new set of numbers will appear

Whether or not you will be asked to authenticate for a particular login session will depend upon your 'context'.

For example, if you are attempting to login to an application that contains confidential and/or sensitive information, it is highly likely that a second factor of authentication will be required each time you login to that application. Alternatively, if you are attempting to login to a system or application that does not necessarily contain highly sensitive or confidential data, but you are attempting to access that application or service from off-campus or during non-regular business hours, you may still be required to present a second factor of authentication before proceeding.

If you prefer not to use your personal phone, or you do not own a compatible device, there are alternate methods of authenticating available. You can choose to enroll and receive a text message or call to your cell phone, you can receive a call to your desk phone, or you can use a hardware token to enter a unique passcode to authenticate. For more information regarding hardware tokens please see the Tokens section.

• If your appointment requires you to be away from your desk frequently
• If you do not have a stationary work location equipped with a landline number
• If your appointment requires you to be in locations that do not allow the use of cellular phones

• If you do not carry a ‘smart’ cellular phone capable of downloading mobile apps
• If you wish to have your second factor of authentication separate from any of your other devices

• If a hardware token is necessary to properly fulfill your current appointment, you can speak with your manager about obtaining a token through your department
• If you would like to purchase a token for yourself to own, you can visit the Staff & Faculty purchasing desk at the UBC Point Grey Bookstore, or the main desk at the UBCO Bookstore
  • One-time Passcode (OTP) tokens are $10
    • Generates a one-time six digit passcode which you will manually enter
  • USB-type tokens are $25
    • Will automatically fill the MFA passcode field when plugged into the USB port of your device
• If you would like to place a deposit on a One-time Passcode (OTP) token, you can do so at the Access Desk (same location where you obtain your UBC ID card) at the UBC Point Grey Bookstore, or the main desk at the UBCO Bookstore.
• Deposit is $25

Visit https://mfadevices.id.ubc.ca/secure/tokens and follow the on-screen instructions

 

As tokens are registered to individual users, a passcode generated by a token will only work with its associated CWL. In exceptional cases isolated work stations may require a universal token for all staff working in that area. Please contact the IT Service Centre at (604) 822-2008 if this scenario applies to you.

 

Add a device

1. Navigate to https://mfadevices.id.ubc.ca
2. Authenticate to confirm your identity
3. Click on "+ Add another device"
4. Select the type of device that you wish to add to your account
5. Follow the prompts

Change/Delete a device

1. Navigate to https://mfadevices.id.ubc.ca
2. Authenticate to confirm your identity
3. Find the device that you wish to update from the list
4. Click on the settings icon next to that device
5. Make any necessary changes

A challenge, or verification request, is based upon the context of your login session. This means that if you are logging-in to a web based application from a UBC network on campus, you will see a check box displayed that says "Remember me" for a specified amount of time. If you select that check box, you will not be challenged again until the amount of time specified has expired. If you were to leave that context by logging in from a different location (e.g. from home, coffee shop, while travelling, etc.) you would be challenged again.

 

A second possible reason that you are being challenged so frequently could be due to the access rights associated with your account. For instance, if you have administrative access to a particular site or service, there is a high possibility that you will be challenged every time you login.

This feature uses a ‘cookie’ to remember your device. The cookie itself does not contain any information about you or the device you are using. It simply verifies that you’re using a device you previously registered.

 

Remember to only use this feature for browsers on devices that are not shared with other people such as a personal workstation, laptop or mobile device.

The "Remember me" feature will not work if;

• • your browser does not have cookies enabled
  • your browser is set to delete cookies after a certain period of time
  • your browser is set to delete cookies every time you quit the browser

If you use different browsers or devices, each one needs to be designated as a trusted browser or device the first time you sign in with it. For example, trusting Chrome on your desktop does not automatically mean Chrome is trusted on your laptop or mobile device, you must select the "Remember me" check box for Chrome on every device you sign in from.

You may have your preferences set for a 'Push to be your default method of authenticating. This means that your phone is automatically sent a Push notification instead of offering you the option to choose your method of authenticating. Cancelling the initial request will allow you to check the box again and reengage the "Remember me" feature.

 

Alternatively you can adjust your preferences in the device management site to prevent this from happening in the future.

• Navigate to https://mfadevices.id.ubc.ca in your browser
  • Login with your CWL and password
  • Authenticate with a second factor
  • Click on the dropdown beneath the heading "When I login:"
  • Select "Ask me to choose an authentication method"
  • Select "Save"

Contact the IT Service Centre. You will be supplied with a temporary passcode to avoid any disruption to your workday.

Contact the IT Service Centre immediately.

Contact the IT Service Centre at (604) 822-2008 immediately.
If you were provided with a complimentary token or one was purchased for you by your unit, you will have to purchase a replacement or obtain one on deposit.

 

What happens if my token runs out of battery?
Contact the IT Service Centre at (604) 822-2008

What happens if my token becomes 'out-of-sync'?
Visit https://mfadevices.id.ubc.ca/secure/tokens_resync and follow the on-screen instructions to resynchronize your token

Yes.

Yes.

• Your username (CWL) is used to match an authentication request to an MFA device or to generate passcodes
• Your cellphone number is optional
  • Having this enables us to call your cellphone, or send you a text message, as your second factor
• Your UBC Email is optional
  • Having this allow us to send you enrollment and recovery instructions when necessary
• First name, Last name is optional

• Device model
• Operating system
• IP address

This information is used for:

• The app to warn you if you should update aspects of your device to combat potential threats
• The UBC Cybersecurity team to monitor the overall health of our end-user technological landscape
• Detecting unusual authentication attempts
• Diagnosing security incidents if they occur

For a full list of information collected by the DUO MFA mobile app please click here.

Yes. Besides the Push functionality, the Duo mobile app can be used as a soft version of a one-time passcode (OTP) token. This is especially useful when travelling, as you will not require any costly phone plan to authenticate your CWL. - To utilize this feature select “Enter a Passcode” when prompted to authenticate o Open the Duo mobile app o Tap on the down pointing arrow to the right of your ‘UBC CWL’ account o A six digit passcode will display o Enter the passcode into the field empty field that appeared when you selected “Enter a Passcode” o Select Log In

 

This project is sponsored by and under of the purview of the Chief Information Security Officer (CISO). It is one of the prioritized technology projects under the mandate of the Privacy and Information Security Management (PrISM) program and is stated as a security requirement in the Information Security Standards.

Having an Enhanced CWL is already mandatory for high-risk staff in certain areas. All UBC faculty and staff will be required to have an Enhanced CWL by November 2019. If your unit or faculty has already committed to onboarding to this service, you will be communicated with directly by your Dean, manager, department head, or equivalent, well in advance of the mandatory date.

Please send any and all questions or comments to privacy.matters@ubc.ca