Website ‘local account’ MFA
We are rolling out some additional security requirements for users with Local website accounts.
We explain details about these changes in more detail below. Including if this change will affect you.
Most Edge Hill websites use one login system called a “network account.” This keeps things simple and secure because:
- You always use the same username and password.
- Security features are consistent across all websites.
- The login screen looks familiar no matter the website you’re attempting to login to.
However, some websites have a second login system called a “local account.” We only use these for special reasons, like:
- Emergency access for staff in case of technical problems.
- Testing new features on the website.
- Giving certain service providers temporary access.
Until recently, local accounts were protected only by a username and password. This isn’t very strong because someone could guess your password. To make local accounts more secure, we’re adding an extra layer of protection called “multi-factor authentication” (MFA). You can find instructions on how to use MFA below.
Introducing MFA, the extra layer of security: Think of it as a second lock requiring not just your password, but also a secret code or device to confirm it’s really you. This makes it much harder for unauthorized individuals to break in, even if they somehow acquire your password.
- Network account users: Relax, you’re already covered! If you use the “Login using Edge Hill University SSO” option, then you don’t need to worry about MFA. It’s already built into your Edge Hill account.
- Local account users: You’ll soon be greeted by the enhanced security of MFA when logging in. Embrace the extra layer of protection for your important digital services.
By understanding the difference between network and local accounts, and the role of MFA in safeguarding your access, you can navigate the digital world of Edge Hill with confidence, knowing your digital doors are securely locked against unwanted visitors.
Remember, your online security is our priority. Feel free to reach out if you have any questions about your digital keys or the exciting world of MFA!
‘local account’ MFA method 1: One Time Password
You will soon notice a new field on the ‘local account’ login form called ‘EHU One Time Password’ (as shown in the screenshot). When you’ve been enrolled on ‘local account’ MFA, you will be required to enter a single use password in addition to your username and password each time you login.
Once enrolled, your ‘local account’ access to the website will be blocked without a valid code. Codes are valid for and expire after 30 seconds.
There are currently 2 ways to generate a one time password thats valid for your account,
- Preferred and easiest: authenticator application.
- This method allows you to use an application or browser extension to generate a code for you. You then enter this into the ‘EHU One Time Password’ field.
- This method allows you to use an application or browser extension to generate a code for you. You then enter this into the ‘EHU One Time Password’ field.
- Alternative: we can e-mail them to you.
- This method requires you to login to your account twice. Once to trigger the e-mail containing your one time password to be sent, you then enter this into the ‘EHU One Time Password’ field.
OTP – Application setup guide
- Login to your account
- Navigate to ‘Users’ -> ‘Profile’
- Scroll to the ‘EHU SSO’ section
- Option 1 – Scan the QR Code using your authenticator application
- If your authenticator application supports scanning QR Codes, then scan the provided QR code from within the application, you will now be prompted to confirm setup.
- If your authenticator application supports scanning QR Codes, then scan the provided QR code from within the application, you will now be prompted to confirm setup.
- Option 2 – Select the ‘Setup in my default OTP application’ link
- If your authenticator application supports OTP setup links, you will now be redirected to your authenticator app to confirm setup.
- If your authenticator application supports OTP setup links, you will now be redirected to your authenticator app to confirm setup.
- Option 3 – Add it manually to your authenticator app
- If your authenticator app doesn’t support OTP setup links, copy the code shown next to ‘EHU SSO MFA – OTP Secret’. Paste this code into your authenticator application.
- If it asks for an issuer, enter the website address the code is for. e.g. blogs.edgehill.ac.uk
- If it asks for a username, enter your local account username
- Test the one time password provided by your authenticator application
- Please login using the one time password provided by your authenticator application in the ‘EHU One Time Password’ field
OTP – E-Mail setup guide
- Login to your account without a One Time Password
- If your username and password are correct, you will be redirected back to the login screen. A notice at the top will display a message similar to ‘One time password was invalid, please check your email address for a new EHU One Time Password.’
- If your username and password are correct, you will be redirected back to the login screen. A notice at the top will display a message similar to ‘One time password was invalid, please check your email address for a new EHU One Time Password.’
- Check your E-Mails
- You should now receive an e-mail from Edge Hill University, it will have a subject of ‘EHU One Time Password’
- When you open this e-mail, it will contain a message similar to ‘Hi username, your local account one time password is: 123456’
- Test the one time password provided by your e-mail
- Please login again using this one time password provided by our e-mail in the ‘EHU One Time Password’ field.
‘local account’ MFA method 2: Security Keys
You will soon notice a new button on the ‘local account’ login form called ‘Login with EHU WebAuthn’ (as shown in the screenshot). When you’ve been enrolled on ‘local account’ MFA, you will be required to use a security key or pre-approved device to verify yourself each time you login.
Once enrolled, your ‘local account’ access to the website will be blocked without verifying yourself with an pre-approved device.