Multi-Factor Authentication

Phishing attempts are at an all-time high, and a single compromised account poses a risk to sensitive college data and critical services. As an added layer of protection, we require all faculty, staff, and optionally students to log in to VCCS services using multi-factor authentication.

What is Multi-factor authentication?

Multi-factor authentication adds a layer of security to online accounts by requiring you to verify that you are who you say you are. After logging in to a system with your username and password, you'll be prompted to confirm your identity a second time using a physical device in your possession (like a smartphone or token) that's been attached to your account.

Why do I need Multi-factor authentication?

The truth is, we have seen more professionally organized and sophisticated phishing attacks than ever before, and passwords are no longer a strong enough protection on their own.

Imagine this: An attacker sends an email to several hundred students. One student - just one - is fooled by the email and unwittingly hands over her username and password. Until we catch the suspicious activity, the attacker has access to all of that student's data.

Or this: An attacker sends an email to several employees, and the message appears to come from payroll. One person - just one - logs in to what he believes to HRMS, only to realize later that his account was compromised and his direct deposits have been redirected to the attacker's bank.

Now imagine: An attacker successfully steals your username and password. When he tries to log in, he's asked to provide your second factor. But you have your second factor (your smartphone or token) safely in your possession, so he can't get any further. He remains locked out.

Multi-factor authentication adds a layer of protection to the personal information and infrastructure entrusted to us.

Sounds good, but will it slow me down?

Multi-factor authentication only adds a couple of seconds to your login. But if you regularly use the same computer and web browser, you can use the "Remember Me" feature to save more time.

What kind of devices can I use as a second factor?

Smartphone or tablet with Authenticator Mobile app (recommended)

Authenticator apps are the quickest, easiest, and most secure method of two-factor authentication supported by VCCS. Install the Rapid Identity, Google Authenticator, or Microsoft Authenticator on your smartphone or tablet and use your mobile device as your second factor.

Passwordless authentication (Rapid Identity App Only)

After you enter your myVCCS username myVCCS sends a notification to the Rapid Identity Application on your device. Tap "Approve" to sign in.

TOTP authentication

You can also use the Rapid Identity, Google Authenticator, or Microsoft Authenticator to generate a passcode if your mobile device doesn't have an internet connection.

Legacy mobile phone with SMS

If you register a cell phone that is not smart, myVCCS can send you a text message as your second factor. Reply to the message to authenticate.

FIDO Key (Hardware Token)

A FIDO key is a small, physical device that you carry with you. When you register this one-button device, it will generate a one-time passcode that you can use each time you need to authenticate.

Commercially available security keys like the YubiKey, or any token that is FIDO2 compatible.

Software token

Software tokens work similar to hardware tokens, except that passcodes are generated by a piece of software on your computer rather than a separate physical device. One-time passcode (OTP) generators are usually free and easy to install. Just search for OTP generators that provide TOTP or HOTP authentication, and register the product as a software token during two-factor enrollment.

We recommend WinAuth or OTP Manager on VCCS machines. These are both free options.

Note: As you decide which devices you need and how many to enroll, think about how you log in daily: Are you primarily at your desk? Do you use several computers across campus? Do you need to log in while traveling? And, most important, do you have a backup if your primary device gets lost or stolen?