Unfiltered Story #306243

We’re all currently in lockdown and working from home, so almost all communication is via email. So I’m a bit shocked one morning when I try to sign in to my email and it tries to force me to set up Two-Factor Authentication using my phone. After double checking I am following the usual university sign in link, I try. It tells me to download an app, but also offers a button that says “Use a different authenticator app”. I have a different authenticator app, downloaded when the same university needed it to let me sign on to a different system, so I use that – it doesn’t work.

I check the IT helpdesk website, where there’s nothing whatsoever about this whole thing. I phone them up, and immediately hear a recorded message:

IT: If this call is about two-factor authentication for email access, please go to the website [Long non-university website address I can’t possibly remember]. If not, please press 1 for students and 2 for staff.

I can’t remember what the website is, I can’t find it, and I can’t find a way to listen to the message again. So I wait on hold for about 15 minutes before finally getting a staff member.

IT: You need to download [Brand] Authenticator to get it to work. If you download [Brand] Authenticator you won’t have any problems.

Me: But it had an option for “use a different authenticator”, and I only downloaded [Other Brand] Authenticator because your system needed it! How many authenticator apps am I going to need?

IT: You need two. [Brand] and [Other Brand].

Me: Ok, fine, I’m downloading the [Brand] Authenticator.

IT: Follow the instructions and you’ll get in fine. *Hangs up*

So I try, it takes three goes but eventually I get in to my email. There’s an email from the head of IT, sent after I first tried to get into my email.

Email: I am writing to you this morning to let you know that we have just turned on the mandatory enrolment of all staff into multi factor authentication. Any users logged in when multi factor authentication was switched on would have been disconnected and asked to enrol in multi factor authentication when logging back in. I apologise for any inconvenience caused, due to the heightened level of risk associated with cyber security events, prior notice was not able to be given alerting users to the activation of multi factor authentication.

Half an hour or so later, there’s another email called “Handy Tips on Setting up Two-Factor Authentication”, followed by a reply

Email: We understand that staff need to active Multi Factor Authentication in order to read the ‘Handy Tips’. It was a FYI email for staff that you know of that are having issues and there are a range of options available for authentication.