Campus and Infrastructure IT Services

Campus Account

Multi-Factor Authentication (MFA)

About MFA

MFA uses the combination of two or more credentials to verify identity. It is used at the University of Bern to better protect data and applications, to protect critical areas and to prevent identity theft.

The currently used 2-factor verification uses a combination of two different credentials to verify identity:

  1. what user knows: password
  2. what user has: mobile phone

Various contact methods can be selected for the second verification step. Access to the desired application/website then takes place optionally:

  • with an Authenticator App
    (you receive an access request, which you confirm with a click)
  • with an SMS to your mobile phone
    (you will receive a code via SMS which you enter on the login page of the application/website).

The following requirements must be met in order to use the MFA for services provided by the University of Bern:

  • valid campus account
  • mailbox on the central Campus Groupware
  • mobile phone with SIM card

Set up and use MFA

I have not used MFA at the University of Bern before, how can I register?

You should activate at least 2 contact methods when registering. The contact methods can be changed later.

One of the contact methods must be defined as the default method. We recommend setting up the Microsoft Authenticator app as the default method. However, you can also define another authentication app or contact method as the default.

I want to register an MFA method?

I want to change the MFA methods?

When we require MFA

In principle, MFA is mandatory for all applications that are accessed from outside the University of Bern network. For access within the University of Bern network, the responsible application operator decides whether MFA is required.

 

Frequently Asked Questions (FAQ)

Applications that require MFA

You will need MFA for the following applications if you want to access them from outside the uni network:

  • Fortinet VPN
    Important: For VPN, you need a FortiClient in version 7 or more recent as well as the SAML profile (for Single Sign-On); the corresponding instructions can be found here.
  • Microsoft 365 services such as Office, Outlook, OneDrive, Teams, email, etc.
  • Microsoft Azure Services
  • Other applications for which the responsible office enforces MFA
     

Frequently Asked Questions (FAQ)

When should I register for MFA?

You can register for MFA at any time. We recommend doing this at least 1-2 weeks before the planned Mail2Cloud changeover.

How often do I have to authenticate using MFA?

MFA policies for different application areas:

  • VPN - every 14h
    When having established a connection by using your Campus Account and MFA you won't have to re-authenticate during a timeframe of 14h, when connecting to VPN from the same client.
     
  • Web Browser - every 7 days
    When using a web browser or a progressive web application (PWA) for accessing our services from outside the UniBE network, you will have to re-authenticate using your password and MFA every 7 days.

    Session/Cookie add-ons or Ad-Blocker may have a negative impact on the given timeframe.
    Changes to your browser or operating system (updates, config changes) may trigger a re-authentication.
     
  • Desktop applications - 90 days of inactivity
    When using a supported desktop application you won't be asked for an MFA re-authentication usually.

    However, an inactivity of 90 days and changes to your application or operating system (updates, config changes) may trigger a re-authentication.

    •  

SMS method: Do I have to pay for the SMS sent to me?

Receiving SMS messages is always free of charge, even abroad.

I have a new smartphone - what do I have to do?

Since there is a direct link between your MFA registration and the devices you use:

  • Install the Authenticator app on the new smartphone (either by transferring the apps from your old device or by reinstalling it)
  • Register for MFA again with the new device
    For accessing the MFA management site, you may have to verify once again using your old device.
    If you shouldn't have access to your old device anymore, please contact our servicedesk for an MFA reset.
  • Remove the old device as an authentication method

My smartphone has been lost or stolen - what should I do?

To prevent possible misuse:

  • Please contact the service desk so that they can reset the MFA registration

I do not own a mobile phone - how can I access the services?

If you shouldn't own a mobile phone and thus can't install an authenticator app or receiving SMS, please contact our ServiceDesk for discussing possible alternatives.