An Introduction to Multi-Factor Authentication

What is Multi-Factor Authentication?

Multi-Factor Authentication (MFA) is a technology that is increasingly used in our daily lives to verify you are the right person accessing the right data or service. BC Government already requires employees, Broader Public Sector and Crown Corporation staff, contractors, partners, and other collaborators to use multiple factors when accessing the government’s Microsoft Azure cloud services (e.g. Microsoft M365 services, MS Entra ID, MS Teams, SharePoint Online, Exchange Online, OneDrive, etc.).  

Soon all BC Government resources will be protected by MFA.

How does MFA work?

MFA uses a second authentication factor to verify your identity, enhancing security by adding "something that you have" to "something you know".

• The first factor is referred to as “something you know”:
  • Most often this is your password, the most basic authentication method.
• The second factor is referred to as “something you have”:
  • Passkeys: Users authenticate by using a secure device, such as a physical security key (e.g. FIDO2) or an app on their phone (e.g. Microsoft Authenticator Passkey). They verify their identity through methods like tapping the device, entering a PIN, or using biometrics such as a fingerprint or facial recognition.
  • E-tokens: Users authenticate using a physical or virtual token that generates unique passcodes. They enter the passcode during sign-in to verify their identity.
  • Authentication app: Users authenticate using a downloaded authentication application that either generates a one-time passcode which users enter during the authentication process, or sends a notification to their device, which they can approve to verify their identity.
  • Phone call verification: Users authenticate by responding to an automated phone call to their registered phone number. They verify their identity by answering the call and pressing the specified key, such as ‘#’, as instructed during the call.
  • SMS/email one-time passcode: Users authenticate by receiving a one-time passcode on their mobile device via SMS or in their email inbox, which they use to verify their identity.  SMS may currently be configured as a valid response method by limited external organizations, however SMS is being phased out as a supported MFA response method by BC Government.

Why is MFA important and when may I be asked to use it?

MFA protects BC Government resources from threats like phishing attacks, credential theft, and malware. It helps to identify that a real person is logging into a resource, versus a bot or a hacker. Here's when you may encounter MFA:

• You'll be prompted to register MFA during the initial setup of your account, or the first time you visit a resource which has been protected by MFA.
• Regular use: Verification may be required when signing in with your account for the first time on a given day, on a new device or when accessing sensitive resources.
• Unusual activity: If unusual activity is detected, you'll need to verify your identity again to ensure your account's safety. 

Am I already registered for MFA?

• If you work for BC Government, are a contractor working with the Province, or have direct access to BC Government resources using a BC Government issued IDIR account, you should already be registered for MFA. Visit MFA for Internal users.
• If you work in the Broader Public Sector, for a Crown Corporation, or are a contractor or partner, you should be registered with a compatible MFA system by your organization.
• If you are a contractor, partner or other collaborator and you have a Microsoft account, you should be registered for MFA.

If you are a contractor, partner or other collaborator and you are not registered for MFA with any organization and you do not have a Microsoft account, you will need to register for BC Government MFA. Visit MFA Registration and Use for MFA registration information.