Versions Compared

Old Version 46

changes.mady.by.user Lauren

Saved on

compared with

New Version Current

changes.mady.by.user Robert Hutton

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Find out how to set up and use multifactor authentication (MFA) for logging into Mediaflux

...

Table of Contents
minLevel2
maxLevel2
include
outlinefalse
indent
styledefault
exclude
typelist
class
printabletrue

...

Anchor
Setting-up-your-MFA
Setting-up-your-MFA
Setting up MFA on your

...

account

You will need to go through a one-time set up process to enrol your account for MFA.

...

You will need two devices to complete this process:

  1. YOUR PHONE (for the Mediaflux Pocket app parts)

  2. YOUR PC (for the Mediaflux Pocket Registration Portal parts)

STEP 1: Install the Mediaflux Pocket app on your smartphone

...

  1. Go to the Mediaflux Pocket Registration Portalon your PC (not the Mediaflux Pocket app on your smartphone).

  2. Log in with the same domain and credentials that you usually use to log into Mediaflux.

    • If you are a University of Melbourne academic researcher (staff), you likely log into Mediaflux with the domain unimelb and your central UoM username and password.

    • If you are University of Melbourne graduate researcher (student), you likely log into Mediaflux with the domain student and your central UoM username and password.

    • If you are a researcher external to the University of Melbourne, you likely log into Mediaflux in one of two ways:

      • with the domain local and the username and password that you were sent when creating the account.

      • with the domain unimelb and the username and password for the Active Directory system account that you registered for.

...

  1. Point your phone’s camera at the Mediaflux Pocket Registration Portal’s QR code to scan it.

Info

Some smartphones may require you to actively allow Mediaflux Pocket access to your phone camera before you can scan.

...

  1. Give your account and device a name, then click Enrol.

...

Once you are enrolled for MFA, you will receive an MFA push notification notifications on your phone smartphone when you log in to Mediaflux.

...

  • subsequent logins from the same computer should not shouldn't require you to accept any MFA push notifications

  • but if you log in from another computer, you will be prompted again

...

The log in process will be slightly different per each different Mediaflux client:

Mediaflux Explorer

...

While MFA will be mandatory (with certain use case exceptions as mentioned abovedetailed below), you may need to unenrol from it when:

  • as a piloting tester in the pre-mandatory phase, you’ve finished your testing and want to disable the MFA until it actually becomes mandatory for all users

  • changing/updating your mobile device (because swapping your MFA from one smartphone to another involves first unenrolling, then re-enrolling in MFA)

Note

Important: Unenrolling from Mediaflux Pocket does NOT enable access to Mediaflux without MFA. Once MFA is mandatory, Mediaflux will be inaccessible without it, regardless of whether you’re enrolled in Mediaflux Pocket or not. Unenrolling merely dissociates your Mediaflux account from the Mediaflux Pocket app on a particular smartphone (usually so that you can reestablish it on a different smartphone).

  1. To unenrol, go Go to the Mediaflux Pocket Registration Portal on your PC (not the Mediaflux Pocket app on your smartphone)and log in.

  2. Click the Disable MFA button.

...

  1. You will see the following screen indicating that you have successfully unenrolled.

...

Exemptions

There are only three some exemptions to having to perform MFA in order to log in to Mediaflux: shared links, Data Mover shareables, and secure identity tokens.

Shared links can be created in Mediaflux Explorer in order to share a location with an unauthenticated user. See Direct Shareable Links for more information.

Data Mover

Data Mover allows you to share data with others. These users are not required to log in to access the data you have shared and so will not be required to use MFA.

Secure identity tokens

Secure identity tokens can be used to authenticate with the Mediaflux Unimelb Command-Line Clients, sFTP (Secure File Transfer Protocol) and Network Share (SMB Protocol).

If you need to automate uploads in an unattended fashion from a server or instrument PC, you may apply for a secure identity token. The advantages of this approach are:

  • Uploads will not require an MFA push notification to be actioned

  • Your university credentials do not need to be stored on the source machine

  • If a token is compromised, this will not compromise your university credentials

See Secure identity tokens for more information or to apply for a token.

Anchor
Pilot-program-meeting-recording
Pilot-program-meeting-recording
Pilot program meeting recording

The initial Mediaflux MFA pilot program meeting was recorded and is available below for those who were unable to attend.

...

Known issues

MFA with Mediaflux is a new feature that is currently under active development. As such there are some known issues that we are tracking with the software vendor (Arcitecta). Pending resolution, here are some workarounds.

“Session Expired” when enrolling for MFA

When attempting to enrol using the QR code at the MFA registration portal, you always see the error message:

Mediaflux Pocket: Enrollment failed
Session expired. Please re-login and try again

This issue seems to either be intermittent or only affect some users' phones.

Expand
titleSteps to work around the issue

You can enrol manually from within the Mediaflux Pocket app.

  • Open the Mediaflux Pocket app on your phone

  • Tap the red (plus) button in the bottom-right

  • Tap the “ENROL MANUALLY” link at the bottom of the screen and enter the details:

    • host: https://mediaflux.researchsoftware.unimelb.edu.au

    • domain: unimelb or student

    • username: <your university username>

    • password: <your university password>

  • Tap the REGISTER button

When enrolled for MFA, unable to log in to MFA portal

If you are currently enrolled for MFA and have logged in to Mediaflux recently (within the last 24 hours), you will not be able to log in to the MFA registration portal. This means that you can’t use the portal to unenrol from MFA. The message shown by the portal is:

Multi-Factor Authentication Required
A notification has been sent to the enrolled device -
Please verify on your device to continue.

Expand
titleSteps to work around the issue

You can unenrol from within the Mediaflux Pocket app.

  • Open the Mediaflux Pocket app on your phone

  • Tap on the account you wish to unenrol from MFA

  • Tap the unenrol button, then the red unenrol button

If iPhone is locked, actioned push notifications show "No Response" error

If your iPhone is locked when you try to connect with MFA for the first time in a 24 hour period, a push notification is sent to your phone. When you unlock your phone and tap on the notification, the Mediaflux Pocket app opens, but the verification status is listed as “No Response” and cannot be accepted.

Expand
titleSteps to work around the issue

  • Wait for 60 seconds for the MFA request to time out

  • Unlock your phone and open the Mediaflux Pocket app

  • Retry connecting to Mediaflux

...

  • tokens

  • DataMover

  • long-lived SMB mounts using local or system accounts

...

Anchor
FAQs
FAQs
FAQs

General

Expand
titleWhat’s Changing?

Multifactor authentication (MFA) will be implemented for the University’s Mediaflux service. This means that in addition to signing in with your existing credentials, you will soon also need to authenticate via a secondary app on your mobile device to access the Mediaflux service.

Expand
titleWhy is Mediaflux not covered by the University of Melbourne SSO or multifactor authentication process?

Okta does not work for all of the different protocols offered by Mediaflux. Okta does not support MFA beyond browser-based access and is not sufficient to address the comprehensive needs of the many Mediaflux user access points and profiles. For this reason, the University is implementing MFA specifically for Mediaflux.

Expand
titleWill MFA be used for web or desktop clients?

MFA will apply to all clients when logging in with usernames/passwords.

Expand
titleWill MFA affect mounts that are already in place?

MFA will affect existing mounts when the mount is re-authenticated. Re-authentication typically usually happens several times a day.

Expand
titleDoes this change affect Unimelb service users?

Yes. This change is applicable to any user who logs in to the Mediaflux service using a username and password.

Expand
titleWhat is the timeline for this change?

User acceptance testing of this MFA solution was completed in late May. The next step is for a 4–5-week pilot phase due to commence in early September.

Full roll out is planned for Quarter 4, 2024.

Expand
titleHow will this change affect long-lived SMB mounts on servers or instrument PCs?

Production loads using SMB mounts will need to set up MFA on their Unimelb account. If you require long-lived SMB mounts then you may also need to apply for an SMB Secure Identity Token.

Expand
titleI use the University's DaRIS system. WIll this change affect me?

We are not enabling MFA for DaRIS.

Expand
titleI automatically upload large amounts of data. How can I do this without being bothered by many MFA requests?

Any projects or users currently using the Mediaflux platform will need to use the new Mediaflux MFA once it is fully implemented in Q4 2024. If your project uses the Mediaflux platform, this change will apply. If you'd like to automatically upload large amounts of data via SFTP, SMB or HTTPS you can apply for a Secure Identity Token.

Expand
titleIs it possible to opt out of this MFA for certain projects/ initiatives. If so, what is the process.

When fully deployed, all users Mediaflux Users (both internal and external to the university) will be required to use MFA when logging in with a username and password. If you have a workload that requires it, you can apply for a Secure Identity Token. This will bypass MFA.

Enrolment​

Expand
titleWhat if I don't have a smartphone?

An Android or Apple smartphone is required to use MFA with Mediaflux. If you do not have a smartphone please contact Research Computing Services for assistance.

...

Expand
titleWhat if I don’t want to download the Mediaflux Pocket app on my smartphone?

I am concerned about my privacy:

  • The Mediaflux Pocket app has passed through the App Store and University vetting processes

  • The University has no access to the app on your phone and cannot view any of the data on your phone, other apps installed, monitor calls or track your location

  • The app does not require you to link it to a particular phone number

I am concerned about using my personal smartphone:

  • The University encourages all staff and students to use their personal device to verify their identity

  • Providing a University-issued device to each user is not possible due to the high cost

  • The security provided by MFA greatly enhances the protection of not just University information but also your personal information

  • The use of MFA is a requirement for ongoing access to University services

I am concerned about the performance impact on my smartphone:

  • The app uses minimal resources on your smartphone and prompts you only when Mediaflux Pocket needs you to verify your current log in

Expand
titleWhy do I have to install yet another MFA app on my phone? Can't I just use Okta to log in to Mediaflux?

Mediaflux is an external product used, but not owned, by the University. The product provider has helped make our Mediaflux use here at UoM much safer by incorporating multifactor authentication into the product for us. But in selecting an optimal tool to facilitate this, the provider has chosen their own new Mediaflux app (Mediaflux Pocket) over any existing MFA tool that the University already uses (such as Okta). While this decision means installing another MFA app on our phones to safely use Mediaflux, the good news is that the provider is further developing their app to include all sorts of useful features for frequent Mediaflux users, so stay tuned for updates!

Expand
titleDo I need to keep the Mediaflux Pocket app on my smartphone, once I have enrolled for MFA?​

Yes, you will need the Mediaflux Pocket app to accept MFA authentication push notifications when you log in to Mediaflux. If you have accidentally deleted the app, please contact Research Computing Services for assistance.

Expand
titleWhat are the minimum requirements for downloading Mediaflux Pocket to my smartphone?

  • iOS 13.4 or later

  • Android 6.0 or later

Usage​

Expand
titleWhen and how often will I be prompted by Mediaflux Pocket for MFA?​

You will be prompted for MFA the first time you log in from each computer (based on its IP address) within a 24 hour period. Subsequent logins from the same computer, even if they are via a different protocol, will not send a push notification.

If you receive a notification for activity that you don’t recognise, you should contact Research Computing Services immediately.

...

Contact RCS (Research Computing Services)