Over the past few weeks, we have heard your concerns about the employer's introduction of multi-factor authentication (MFA) — namely the requirement for staff to download an app to their personal smartphones. In response, the AASUA officers, Executive Director, staff, and I met with the employer February 3 to pose questions about MFA implementation. The following is a summary of the questions we posed, and the employer’s responses.
We have been told MFA is being rolled out in stages, with total implementation scheduled for March 2023 (therefore some members have received MFA enrolment notifications before others). Importantly, the employer has informed us that those who do not wish to download the MFA app to their phone, or who do not have a personal phone, can instead request a key fob that will serve the same purpose. When staff receive their MFA enrolment email, there will be a link to a fob request form.
The AASUA has heard from the employer that the application process is to ensure the distribution of fobs are consistently recorded for security purposes, and that fob requests will not be denied. According to our Collective Agreement, the employer must provide the materials academic staff require to perform their work. Should your request for a fob be denied, we advise you to reach out to us.
AASUA leadership also posed questions about why an app was selected over a text-verification process, the level of security and capabilities of the app, and why the enrolment request email some members have already received was flagged as a potential phishing email by the university’s Gmail system.
According to the employer, the app was selected over text-verification as it provides a higher degree of security in comparison to text-messaging services. We were informed the app has received industry safety certifications and does not have the capabilities to access personal data or track the location of its users.
As for why some enrolment requests have been flagged as phishing, the employer said the size of the rollout required an outside domain to automate the requests. In some cases, this outside domain triggered Google’s email control system.
We have been told the fobs are battery powered and can be used in any location. Additionally, the MFA itself is not network or IP triggered, meaning if you are logged into a computer on the U of A network you will still need to complete the authentication process. This means those who have a lab outside their office will need to carry their cellphones or fob with them to use MFA.
University administration has highlighted that MFA is the new security standard in higher education, and that the U of A is the last of its U15 comparators to roll out this measure. While this may be the case, the employer must take the appropriate steps to properly inform staff about MFA. In consultation with AASUA, the employer has updated their MFA FAQ, which can be found here. We are continuing to monitor the situation as it develops to ensure AASUA members’ concerns are addressed in this process.