Enrolling in Multifactor Authentication for VCS

Introduction

This article discusses multifactor authentication (MFA) for Virtual Computer Services (VCS) instructions that can be used to access VCS while off-campus.

Applicability

This document applies to anyone who uses or supports external connections to VCS where multifactor authentication is required.

Procedure

1. Getting Started

1.1 What is Multifactor Authentication (MFA)?

1.2 Downloading the SecureAuth Authenticator App

1.3 Connecting to VCS on Campus for the first time

1.3 Logging into VCS off Campus for the first time

2. Enrolling your Mobile device for MFA

2.1 Logging into the MedID Portal

2.2 Enrolling with a QR Code

2.3. Enrolling with a URL

2.4. Enrolling with a Yubikey

3. Connecting to VCS with MFA

3.1. Authenticating with push notifications

3.2. Authenticating with time-based passcodes

3.3. Authenticating with a Yubikey

4. Frequently Asked Questions

VIDEO TUTORIAL

1. Getting Started

1.1. What is Multifactor Authentication (MFA)?

Multifactor Authentication (MFA) is a security technique where an additional method is used to identify a user when they're logging in. Usually with a secondary device like a phone. Multifactor Authentication is used when connecting to VCS from locations outside the FOMD, UWS, or AHS networks. This is used to enhance security for remote connections.

IST has set up the application SecureAuth Authenticator to be used when logging into VCS. The first step to setting up remote access to VCS when working offsite is to get the SecureAuth Authenticate application on your Android or Apple smartphone. If using a mobile phone is not an option, a hardware USB device can be used instead. Please contact the Service Desk at 780-492-8000.

1.2. Downloading the SecureAuth Authenticator App

To install the SecureAuth application; go to your device's application store, and search for "SecureAuth". Alternatively, provided links have been provided to the application in the Android and iOS App Stores as well. After installing SecureAuth, you will need to connect to the MedID Portal to link the app to your MedID.

Following downloading the SecureAuth Authenticate app on your mobile device, you'll need to enroll your device with the VCS enrollment site, which is only available from with VCS. Follow sections 1.3 or 1.4 for help with connecting to VCS for the first time.

Android iPhone SecureAuth for Android SecureAuth for iOS

1.3. Connecting to VCS on Campus for the first time

You can connect to VCS from on campus with your MedID and password once your MedID has been enabled. And you will not need MFA, however it is a good idea to set it up while you're on campus help make logging in easier when you're off campus. If you are off-campus, you can still log in, but you will need to contact the service desk to log in; please proceed to section 1.4 Connecting to VCS off campus.

Citrix Workspace app is required to connect to VCS, and will be prompted to install when you sign into the VCS website. Additional support for installing Citrix Workspace App can be found at KB0013163.

Go to https://vcs.med.ualberta.ca; then enter your MedID and Password.
At the desktop selection screen, click on Windows 10.
The Desktop viewer screen will show up and begin to log you into VCS.

1.4. Logging into VCS off Campus for the first time

You can still connect to VCS from off campus with your MedID and password once your MedID has been enabled. However, prior to setting up MFA, you will need to contact the service desk to log in.

You will need to call the service desk at 780-492-8000 to receive a temporary PIN to grant you access to VCS. Otherwise you will not be able to log in. Please call them immediately prior to logging in to receive the PIN.
After receiving the PIN, go to https://vcs.med.ualberta.ca then enter your MedID and Password.
When you connect, you'll need to specify whether you are on a Public Computer or a Private Computer, then enter your MedID and click Submit.
1. The difference between "public computer" and "private computer" is that selecting 'this is a public computer' will force the VCS website to forget your computer's "fingerprint" when you close the browser. Whereas selecting 'this is a private computer' will have the site remember your computer's "fingerprint". The fingerprint is a way that the VCS website remembers trusted devices, so you are not prompted for MFA every time you login.
Select the Personal Identificaiton Number (PIN) option and click Submit.
Enter the PIN you received from the service desk. Then click Submit.
Enter your MedID password. Then click Submit.
At the desktop selection screen, click on Windows 10.
The Desktop viewer screen will show up and begin to log you into VCS.

2. Enrolling your Mobile device for MFA

2.1. Logging into the MedID Portal

Within the VCS virtual desktop, open a web browser and browse to the following website; https://medid.med.ualberta.ca/secureauth7/
Enter your MEDID and then click Submit.
At this point you'll only have one option to receive the 6 digit passcode, which is by email. Select Email, then click Submit.
1. If you get an error here, most likely a work email address must be added to your MEDID account. Please contact the Staff Service Centre at 780-492-8000 to have it added.
Check your email for the FOMD passcode.
Enter the passcode from your email into the text field. Then click Submit.
Followed by entering your MEDID password. Then click Submit.

2.2. Enrolling with a QR Code

This is the default method to enrol your device for MFA. However if your phone's camera does not work or you encounter any errors then skip to the next section.

Log into VCS, and connect to the MedID portal using the instructions in "Section 2.1 Logging into MedID Portal".
From the MedID portal, select Mobile App Enrolment.
On the Mobile App Enrollment screen, open the SecureAuth Authenticate app on your mobile device.
On your phone, tap Yes or Allow on any pop-ups requesting access to your camera or to send notifications.
Using your mobile device, scan the QR code you see on your computer monitor.
1. Note: if your phone fails to scan the QR code, you may need to refresh the website to generate a new QR code.
2. Note: If this still fails, or you can not scan the QR code at all, proceed to Section 2.3. Enrolling with a URL.
Once your mobile device successfully reads the QR code, you'll be sent to a dashboard showing your webcode as "LOCKED". This is expected, as you will need to create a new PIN in order to unlock your account. To create a PIN, tap on the LOCKED webcode.
You will be shown a pop-up asking you to setup your PIN, tap on Go to App Lock to proceed.
You will be taken to the App Lock screen to enable methods to unlock the SecureAuth app to help ensure that other people cannot use your phone to access your MedID. Tap on Passcode to create a PIN.
You will be taken to a screen to create a new PIN for this application. Enter a 4-digit PIN that you will remember, then you will be asked to confirm your PIN, enter the exact same PIN to confirm.
1. Do not give out this PIN to anybody, and IST will never ask you for this PIN when assisting you. This PIN is only used when exposing the 6 digit code on the SecureAuth Authenticor app on your mobile device if using the One Time Passcode login method as shown in section 3.2
You will be taken back to the App Lock page, feel free to enable other forms of security for this application (such as Touch ID/Fingerprint recognition or Face ID/Face recognition). You can use these in lieu of the PIN.
Afterwards, you can close the App Lock page to return to the dashboard. If you can see the 6-digit passcode, then you have enabled security within the application successfully.
Finally, you will need to perform a final step to enable your MedID to use MFA. Return to the MedID website within VCS, and enter the 6-digit passcode on your phone in the text box under "3. Confirm". Then click Enable.
Your mobile device has now been enrolled. For all future attempts to log in off-campus, your phone will receive a notification to prompt you for authentication.

Note: If push notifications are not working. You can use the passcode you entered in Step 12, though you will be asked to enter the PIN or use other forms of security that you set up previously.

2.3. Enrolling with a URL

If using the QR code method for enrolling does not work, you can specify a URL for enrollment directly in the Authenticate App. This following section will be done in-lieu of Step 5 from the previous section.

Complete Step 1 through Step 4 in the previous section, "2.2. Enrolling with a QR Code".
From the Authenticate mobile app start by tapping Other Pairing Options.
On the next screen enter the following URL into path: "https://secureauth.med.ualberta.ca/secureauth20" then tap on Pair.
You'll be directed to a login page where it will ask for your MedID. Enter your MedID and then tap on Submit. *NOTE* sometimes the phone OS will automatically capitalize names, which may cause the error "Invalid MedID". Most of the time, a MedID will be all lowercase.
Next, you'll be sent a 6 digit passcode to the email we have associated to your MedID (most often is your Ualberta email address). After receiving the code in your email, enter the 6 digit passcode in your email and then tap Submit.
in the next screen on your mobile device, then tap on Submit.
Next, it will ask for your MedID password to confirm your identity. Enter your password and tap Submit.
You will now be enrolled! Please continue the steps from the previous section from Step 6 through 12.

2.4. Enrolling a Yubikey for MFA

This is for those who either have a phone that will not work for this purpose, or cannot use their phone for their MedID. IST offers a device called a "YubiKey", which is a USB device that performs the same functions as the SecureAuth application; however it will need to be plugged in on any and all computers that you will sign in to VCS with. So ensure that you keep it with you on all times.

Request a YubiKey from IST via the service portal found at the Staff Service Centre; or call the service desk at 780-492-8000 to have them help you with submitting a request.
After you have received a YubiKey. Follow Section 2 "Enrolling your Mobile device for MFA using a QR Code" from Step 1 through Step 6.
On the https://medid.med.ualberta.ca website, choose Yubikey Enrollment.
Plug the YubiKey into your computer, then press on the little gold Y button on the YubiKey itself with your finger, which will automatically fill in the text field with a code for that Yubikey. Then click Submit.
Once you see the Yubikey saved successfully, after being verified, then you can close the browser tab.

3. Connecting to VCS with MFA

Now that you have set up MFA on your mobile device, you should test it by logging into VCS. You have two options Push Notifications and Time-based Passcodes. By default you should receive push notifications as it is the easier method; but we offer time-based passcodes as a fallback.

3.1 Authenticating with push notifications

Browse to https://vcs.med.ualberta.ca on your computer. If you are on a public computer, then you'll want to set it as being on a public computer, so it doesn't remember your login.
Enter your MEDID and then click Submit.
To receive a push notification for authentication, choose the option to Send login request to _______ option.
1. If push notifications are not working, then proceed to the following section; 3.2 Authenticating with Time-based Passcodes.
On the next screen, you'll see either a randomly generated number or letter, you'll need to tap on the matching character on your mobile device to confirm your identity.
Next it will move the login along to the password screen. Enter your MedID password then click Submit.
From here you will be at the desktop selection screen. Select Windows 10 or any other virtual computer you need to access.

3.2 Authenticating with time-based passcodes.

If push notifications are not available or not working, then we offer the ability to manually enter a 6 digit passcode from the SecureAuth app on your phone. This uses the same techniques as push notifications, however the only difference is that push notifications automatically send the 6-digit passcode to the login servers. Whereas time-based passcodes are entered manually.

Time-based passcodes change very 60 seconds. The app on your phone will tell you how much time is left before a password resets, so be aware when a passcode will reset before entering it.

Browse to https://vcs.med.ualberta.ca on your computer. If you are on a public computer, then you'll want to set it as being on a public computer, so it doesn't remember your login.
Enter your MEDID and then click Submit.
Select Time-based Passcode. Then click Submit.
On your mobile device, open the SecureAuth Authenticate app, and tap on the account that was created when you enrolled your device. The app will prompt for your PIN that you created when you enrolled. This will then show the 6 digit passcode, from there, enter it into the VCS website, and then click Submit.
Then enter your password then click Submit.
From here you will be at the desktop selection screen. Choose your VM to launch.

3.3. Authenticating with a Yubikey

If you don't have a phone that you can authenticate with, and you have followed the steps in 2.4. Enrolling a Yubikey for MFA then you can use a YubiKey to authenticate.

Browse to https://vcs.med.ualberta.ca on your computer. If you are on a public computer, then you'll want to set it as being on a public computer, so it doesn't remember your login.
Enter your MEDID and then click Submit.
Select YubiKey Device then click Submit.
Insert the YubiKey into your computer, then press on the little gold Y button on the Yubikey itself with your finger, which will automatically fill in the text field with a code for that Yubikey. The site will the proceed to the password page automatically.
Enter your MEDID password then click Submit.
From here you will be at the desktop selection screen. Choose your VM to launch.

Frequently Asked Questions

I lost my mobile device, what should I do?
- Contact the Service Desk at 780-492-8000 or log a ticket on the Service Portal and an Analyst will remove the lost device from your user profile.
Can I enroll more than one mobile device?
- Yes, you can enroll up to 5 mobile devices.
I'm on a business trip and my mobile device is not working, how can I login?
- Contact the Service Desk at 780-492-8000 or log a ticket on the Service Portal and an Analyst will generate a One-Time Passcode (OTP) for you.
What mobile devices are supported?
- IOS, Android, Microsoft, and Blackberry devices are supported. Huawei devices are not supported due to U.S. embargo MD-839.
My mobile device does not have an internet connection or push alerts are not working, how can I login?
- You can generate an OTP from the mobile application. Your mobile device does not need an internet connection to generate an OTP.
When logging in, do I select public or private computer?
- If the computer you are using is not your personal computer, you should select public computer. Public computers are not stored as trusted computers in your user profile.
Can One-Time Passcodes (OTP’s) be sent to my personal email address?
- No, for security reasons, OTP's are only sent to your U of A email address.
Why I am no longer required to use MFA to login from my personal computer?
- Personal computers are stored in your user profile as a trusted computer during the first login with a fingerprint. Should the fingerprint change, you’ll be prompted to with multifactor authentication again.
I do not have a mobile device to use for MFA, what other options do I have?
- You can purchase a hardware token from IST. This is known as a YubiKey.

Keywords: VCS, Virtual Computer Services, multifactor, authentication, login, off campus, external, 2FA, MFA