Multi-Factor Authentication (MFA)

Multi-Factor Authentication (hereinafter referred to as MFA) is a tool that will enhance the security of your log-in process to CTU systems and significantly complicate the possibility of the misuse of your login credentials. It is commonly applied, e.g., in banking or government institutions.

Multi-Factor Authentication for selected services is mandatory for CTU staff members, students, partners and graduates. The frequency of the use of the second factor has currently been set at seven days, but the actual frequency depends primarily on the integration of your devices into the so-called Single Sign-On (SSO) scheme. The MFA rules and benefits associated with Single Sign-On vary with the implementation methods and operating system used.

It is recommended to have multiple methods set up for MFA, at least two, due to potential technical issues or a loss of the device for one of the second factors. This is crucial for employees travelling on business or working very frequently away from their permanent workplace.

The actual set-up is done on the portal Mysignins.microsoft.com, if you have at least one second factor active, you can add or remove the others on your own. If your first registration has failed, you need to enter a ticket in the ServiceDesk, the IT Services tile and colleagues will reset your settings.

Available second factor methods

Microsoft Authenticator
This method consists in installing an app on the smartphone to verify the displayed code. The smartphone must be equipped with at least the Android 8+ or iOS16+ operating system.
The Smartphone, must be comply with the Dean´s Directive No. 5/2023 and use of devices from the Huawei Technologies Co., Ltd. and the ZTE Corporation companies is prohibited.

Detailed instructions for setting up the MS Authenticator are available on the FCE Portal.
Caution !. Instructions may vary slightly depending on the OS version in your smartphone or computer.

USB Fido2 security key
The FIDO2 security key is a hardware device that plugs into a USB port. It is available in both USB-A and USB-C versions. A unique PIN or, in more expensive models, a fingerprint is used to secure the legitimacy of the security key use. This security feature is stored locally on the key, so it is not sent over the network and the method itself is highly secure.

To use the second factor, you need to plug the security key into a USB port of a physical device, enter the PIN and touch the security key or use your fingerprint.

The above prices are B2C, you can find both lower and higher prices on the web sites. Purchases can be made at any store.

To activate this second factor, you need to have an active another MFA factor or enter a ticket in the ServiceDesk and colleagues will activate it for you without another one factor.

Detailed instructions on how to set up the FIDO2 security key can be found on the University Computing and Information Centre (VIC) website.

Microsoft Hello for Business
Windows Hello for Business (WHfB) is an extended version of Windows Hello that provides a passwordless, multi-factor authentication for business environments, where the key to identity is a digital certificate and a PIN or biometrics on the physical device.

Using the second factor in Windows Hello for Business involves entering a PIN, using a fingerprint or biometric facial recognition. These options can be configured depending on your computer´s hardware. Microsoft Hello for Business technology cannot be used in a Thin Client environment.

To activate this second factor, you need to have an active another MFA factor, because WHfB works only on the device on which was set up.

Detailed instructions on how to set up Windows Hello for Business can be found on the University Computing and Information Centre (VIC) website.

TOTP app
TOTP (Time-Based One-Time Password) apps are smartphone or computer apps that generate one-time, time-limited codes (30 seconds) that are used as a second factor in MFA. (Examples of such apps are KeepassXC or Google Authenticator.)

The Smartphone must be comply with the Dean´s Directive No. 5/2023 and use of devices from the Huawei Technologies Co., Ltd. and the ZTE Corporation companies is prohibited.

Temporary Access Code (TAP)
This one-time code valid for 12 hours can be used if no other method of identity verification is available.
The TAP code is issued EXCLUSIVELY by the CTU Card Centre.

The CTU Card Centre will issue TAP codes only after November 1, 2025.

Tips and Tricks for MFA

MFA is ideally enforced once every seven days (see above). In reality, this period is shorter, but following the information below will help you get closer to the ideal seven days.

Most applications that use MFA are web applications that open in a web browser. Use only one browser, set it as the default browser, and do not close it in between work.

If you are using the Windows operating system, log in with the "Work and School Account (WSA)". MFA authentication is required to log in to WSA, but this authentication is then remembered for other applications.
If you are logged in with WSA, then the connection with the Edge browser works, and same after configuration the Firefox browser, and same after installing the add-on into the Chrome browser. We have not tested other browsers, but it can be assumed that they have similar functionality.

When you need advice or technology does not work

If you need advice, if the second factor set-up has failed, or if you simply need assistance with setting it up, please contact the User Support Centre, which is part of the FCE Computing and Information Centre. We prefer entering a ticket in the ServiceDesk, the IT Service tile; in urgent cases call extension 9700.