Protecting an account with just a password makes it vulnerable to many types of attacks, the very common phishing among others. Verifying logins with the mobile phone can mitigate many of these attacks. The phone is typically in the possession of the account’s legitimate owner even if the password has been compromised. The multifactor authentication system requires phone verification when the account logs in for the first time from a new device or app. Subsequent logins are typically considered safe. This provides an effective protection against illegal logins.
The verification is done by sending a code to the phone in a SMS message or using the app to ask for verification. The user must register the phone number and/or app in the system before multifactor authentication can be used.
Multifactor authentication will become mandatory for all Hanken accounts during 2022.
When do I have to verify a login with multifactor authentication?
Multifactor authentication is activated when the system isn’t sure if the login comes from the account’s legitimate owner or someone else. These basic rules apply:
- Staff only: Your login is considered safe if your device is connected to Hanken’s personnel network or you have Hanken’s VPN activated. Multifactor authentication is not required.
- Multifactor authentication is required on the first login from a new device, app or web browser. Multifactor authentication is not required again for subsequent logins.
- A new multifactor authentication may be required if the system flags your login as risky for some reason. This may for example happen if you travel and log in from another country.
- Multifactor authentications expire and will be required again after some time.
Does this mean that I must carry the phone with me all the time?
Yes. The phone is a suitable tool for multifactor authentication mainly because it’s something that most people carry with them almost all the time. The system tries to minimize the number of required multifactor authentications, and you may be able to use the account for a long time without a single verification request. But it is impossible to reliably predict when a multifactor authentication will be required. Therefore, it’s strongly recommended to always have the phone, or another registered mobile device, available when using the account.
Which phones can be used for multifactor authentication?
Practically all phones and tablets. Both smartphones and traditional phones can be used. The requirement is that the device can receive text messages (SMS) or run an app for iPhone/iPad or Android. Practically all modern phones can do both. Tablets without a phone subscription can use the app when connected to WiFi.
Which methods can be used for multifactor authentication?
Multifactor authentication offers several methods to perform the verification. This ensures that there are redundant options if one method is unavailable and that users can select a suitable method.
- Call my authentication phone number
The system makes an ordinary voice call to your phone, the login is verified by pressing a number key. Two different phone numbers may be registered.
- Text code to my authentication phone number
The system sends a text message (SMS) to your phone. The login is verified with the code in the message. Two different phone numbers may be registered.
- Notify me through the app
A two-digit code is shown on the device where you log in. The login is verified by entering the code in the app on your phone or tablet. The app may be registered on several devices.
- Use verification code from app or token
The app on your phone or tablet shows a code. The login is verified by entering the code on the device where you log in. The app may be registered on several devices.
Staff only: Can I use my Hanken mobile phone number for multifactor authentication?
Yes. We recommend that you use your Hanken phone number as your primary number for multifactor authentication.
Can I use a private mobile phone number for multifactor authentication?
Yes. We recommend that you register more than one number to reduce the risk of being locked out if a verification is required. A private number can be either the primary or secondary authentication number.
Does registering my private mobile phone number cost me anything?
No. The registered number receives phone calls or text messages, if you select to do multifactor authentication with one of these methods. The system will never place calls or send messages from your number. Note that receiving calls or messages may cost you something when roaming.
Can I safely register my number for multifactor authentication? Can I use a secret number?
Yes. The register for authentication numbers is separated from other registers and follows GDPR. The registered numbers are not used for anything else than multifactor authentication. A limited number of administrators at the Computer centre have technical access to the register, but legislation restricts their ability to access the information.
Which benefits does the app provide?
Many users consider the app to be handier than SMS authentication. The app is also more robust in situations where text messages aren’t available, like if your phone subscription isn’t working for some reason. The app uses data networks and does not require a working phone subscription. It works fine with just WiFi available.
Which mobile devices can the app be used on?
The app works on practically all iPhone and Android phones, as well as on tablets. It can be used on both private devices and devices provided by Hanken (staff only). It’s a good idea to register more than one device as it reduces the risk to be locked out from your account.
Does it cost anything to install the app on a private phone?
No. The app is free and uses only small amounts of data traffic. It does not place calls or send text messages. The cost is zero if you have an unlimited data plan. The cost is probably neglectable even abroad with a higher price for data roaming. Data fees can be avoided by connecting to a WiFi network.
Why is it a good idea to register more than one authentication method?
Verifying a login is a mandatory security action that can’t be circumvented. You are locked out if you have only one method registered, and it’s unavailable for some reason. The app saves you if your phone account isn’t available, for example abroad. Several registered phone numbers save you if you brought the wrong phone with you, or one of them is lost or has a flat battery. You may lose both the app and the authentication phone number if you lose your only phone. Having the app registered on your tablet saves you in this case.
Why do I have to enter a code when authenticating using the app?
We require the code to prevent an attack called “MFA fatigue”. Hackers could make several login attempts until the account owner gets really annoyed by the beeping app, and accepts just to get rid of it. This attack does not work if a code is required. You can’t accept a login attempt made by someone else as you don’t know the code that is shown on the login screen.
How to deal with situations where the app requires a number that it covers so that I can’t see it?
There’s a potential usability problem if you log in with multifactor authentication at the same mobile device where the app is installed. It’s possible that the app covers the login screen where a code is displayed, and the hidden code is required to verify the login. There’s a function called “I can’t see the number” in the app, scroll down a bit if you can’t see it right away.
What should I do if multifactor authentication is required but none of my methods work?
You can circumvent multifactor authentication by connecting your computer to the personnel network at Hanken campus or activating Hanken’s VPN (staff only). You can register a new phone number, or the app on another mobile device, if you can access aka.ms/MFAsetup without doing a multifactor authentication. You must contact email@example.com if you still can’t solve the problem. Use your Hanken account if possible, when sending the mail. The Computer centre can help you solve the problem, but we must be able to somehow verify that the request comes from the legitimate owner of the account. Otherwise, we may open up your account to an outsider.
Why does the map in the app show the wrong position?
The app may display a map and attempt to show where the login attempt comes from. This is almost never the exact position of the user that logs in, it depends on how the telecommunication operator has handled their connection to Internet. The shown position is in the right country, and usually in the right part of the country. The traffic seems to come from Hanken if using Hanken’s VPN (staff only) and from some other location depending on your settings if using another VPN.
A position in some other part of the work when you aren’t attempting to log in yourself is strong indication that someone attempts to attack your account. Contact firstname.lastname@example.org without delay in this case.
Is it possible to hack an account protected by multifactor authentication?
Yes, but it’s a lot harder than for other accounts. The most common method is to lure the user to hand over verification codes. It may for example go like this. The phone rings: “Hello, this is Hanken’s helpdesk. We have some problems with logins and need to verify if your multifactor authentication works. We must sort this out ASAP or you will get locked out from your account! You will see a code on your phone in a moment, can you tell me the code so I can check if it’s correct?” The Computer centre never calls asking a question like this. A hacker that has got the account’s password may however do it and complete the login as soon as he gets the code.
- You can use an app on your smart phone (Android or iPhone) for multifactor authentication. If you want to do that, start by making sure the app is installed. Go to Google Play or Apple App Store and install Microsoft Authenticator.
- Open the link https://aka.ms/MFASetup in your web browser. (Do this on your computer if you plan to use the app for authentication.)
- Log in with your Hanken account, unless your are logged in already.
- Follow the instructions and you will end up at a page looking like this:
- Select Authentication phone, Finland and enter the number of your Hanken phone. This is a trustworthy service where the number can be stored without fear of misuse. (You can use the number of a private phone instead if you don't have a Hanken phone, or if you mainly use another phone.)
- You will receive a SMS message with a code. Enter the code and click Verify.
- The system suggests that you register some alternative authentication methods as well (recommended). Välj Alternative authentication phone if you have another phone number. (This is recommended if you have two numbers as it provides an alternative method if there's a problem with your main number.)
- Next you can register the app on your smart phone. (Finish by clicking Save or Cancel if you aren't going to use the app.)
- Select Authenticator app or Token and then click Set up Authenticator app.
- Open the Authenticator app on the phone and select Add account, Work or school account. Scan the QR code on the computer screen.
- The system wants to verify the app connection by asking you to enter a code from the app or click approve on your phone.
- Now you should be back at the screen shown above. Select Notify me through the app or Use verification code from the app as the default method. (See below for an explanation.)
- Click Save,
- If you're not using it already, we recommend that you start using the Outlook app for access to the Hanken e-mail on your mobile devices. Generally it's the preferable option for security reasons, and also works well with multifactor authentication.
- Some tips that help you minimize the number of verification requests on the mobile.
- When logging in you may be offered the option to remain logged in on the device and to skip multifactor authentication for 60 days. Select this option on your own devices. Do NOT select it on other devices.
- Use VPN on your computer. The systems will trust your login without extra verification when they see that you work through Hanken.
- Ready. You can go back to https://aka.ms/MFASetup at any time if you want to change your settings.
There are two alternative ways to use the app:
Use verification code from the app
In this method you enter a code from the app on the web page or device where you are logging in. This is the more secure method.
Notify me through the app
In this method the app shows you a message with two buttons, Deny and Approve. This is usually perceived as the more convenient option, but it is possible to approve a malicious login attempt by a hacker. It is therefore important to refrain from approving unexpected login verifications. You can expect a login verification when you log in or right after starting one of your devices (when your programs re-establish the connection to your account). Deny other verification requests.