Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Table of Contents
minLevel2
maxLevel2
include
outlinefalse
indent
styledefault
exclude
typelist
class
printabletrue

...

Anchor
Setting-up-your-MFA
Setting-up-your-MFA
Setting up MFA on your

...

account

You will need to go through a one-time set up process to enrol your account for MFA.

...

  1. You will see the following screen indicating that you have successfully unenrolled.

...

Exemptions

There are only three some exemptions to having to perform MFA in order to log in to Mediaflux: shared links, Data Mover shareables, and secure identity tokens.

Shared links can be created in Mediaflux Explorer in order to share a location with an unauthenticated user. See Direct Shareable Links for more information.

Data Mover

Data Mover allows you to share data with others. These users are not required to log in to access the data you have shared and so will not be required to use MFA.

Secure identity tokens

Secure identity tokens can be used to authenticate with the Mediaflux Unimelb Command-Line Clients, sFTP (Secure File Transfer Protocol) and Network Share (SMB Protocol).

If you need to automate uploads in an unattended fashion from a server or instrument PC, you may apply for a secure identity token. The advantages of this approach are:

  • Uploads will not require an MFA push notification to be actioned

  • Your university credentials do not need to be stored on the source machine

  • If a token is compromised, this will not compromise your university credentials

See the unimelb-mf-upload page Secure identity tokens for more information .

Long-Lived SMB Mounts

This is a new feature. For SMB mounts on servers, expected to operate unattended for long periods of time.

  • MFA push notifications will not be sent when mounting the SMB share

  • Your university credentials do not need to be stored on the source machine

  • If a token is compromised, this will not compromise your university credentials

See Secure identity tokens for more information or to apply.

...

or to apply for a token.

Anchor
Pilot-program-meeting-recording
Pilot-program-meeting-recording
Pilot program meeting recording

The initial Mediaflux MFA pilot program meeting was recorded and is available below for those who were unable to attend.

...

Known issues

MFA with Mediaflux is a new feature that is currently under active development. As such there are some known issues that we are tracking with the software vendor (Arcitecta). Pending resolution, here are some workarounds.

“Session Expired” when enrolling for MFA

When attempting to enrol using the QR code at the MFA registration portal, you always see the error message:

Mediaflux Pocket: Enrollment failed
Session expired. Please re-login and try again

This issue seems to either be intermittent or only affect some users' phones.

Expand
titleSteps to work around the issue

You can enrol manually from within the Mediaflux Pocket app.

  • Open the Mediaflux Pocket app on your phone

  • Tap the red (plus) button in the bottom-right

  • Tap the “ENROL MANUALLY” link at the bottom of the screen and enter the details:

    • host: https://mediaflux.researchsoftware.unimelb.edu.au

    • domain: unimelb or student

    • username: <your university username>

    • password: <your university password>

  • Tap the REGISTER button

When enrolled for MFA, unable to log in to MFA portal

If you are currently enrolled for MFA and have logged in to Mediaflux recently (within the last 24 hours), you will not be able to log in to the MFA registration portal. This means that you can’t use the portal to unenrol from MFA. The message shown by the portal is:

Multi-Factor Authentication Required
A notification has been sent to the enrolled device -
Please verify on your device to continue.

Expand
titleSteps to work around the issue

You can unenrol from within the Mediaflux Pocket app.

  • Open the Mediaflux Pocket app on your phone

  • Tap on the account you wish to unenrol from MFA

  • Tap the unenrol button, then the red unenrol button

If iPhone is locked, actioned push notifications show "No Response" error

If your iPhone is locked when you try to connect with MFA for the first time in a 24 hour period, a push notification is sent to your phone. When you unlock your phone and tap on the notification, the Mediaflux Pocket app opens, but the verification status is listed as “No Response” and cannot be accepted.

Expand
titleSteps to work around the issue
  • Wait for 60 seconds for the MFA request to time out

  • Unlock your phone and open the Mediaflux Pocket app

  • Retry connecting to Mediaflux

Anchor
FAQs
FAQs
FAQs

General

Expand
titleWhat’s Changing?

Multifactor authentication (MFA) will be implemented for the University’s Mediaflux service. This means that in addition to signing in with your existing credentials, you will soon also need to authenticate via a secondary app on your mobile device to access the Mediaflux service.

Expand
titleWhy is Mediaflux not covered by the University of Melbourne SSO or multifactor authentication process?

Okta does not work for all of the different protocols offered by Mediaflux. Okta does not support MFA beyond browser-based access and is not sufficient to address the comprehensive needs of the many Mediaflux user access points and profiles. For this reason, the University is implementing MFA specifically for Mediaflux.

Expand
titleWill MFA be used for web or desktop clients?

MFA will apply to all clients when logging in with usernames/passwords.

Expand
titleWill MFA affect mounts that are already in place?

MFA will affect existing mounts when the mount is re-authenticated. Re-authentication typically usually happens several times a day.

Expand
titleDoes this change affect Unimelb service users?

Yes. This change is applicable to any user who logs in to the Mediaflux service using a username and password.

Expand
titleWhat is the timeline for this change?

User acceptance testing of this MFA solution was completed in late May. The next step is for a 4–5-week pilot phase due to commence in early September.

Full roll out is planned for Quarter 4, 2024.

Expand
titleHow will this change affect long-lived SMB mounts on servers or instrument PCs?

Production loads using SMB mounts will need to set up MFA on their Unimelb account. If you require long-lived SMB mounts then you may also need to apply for an SMB Secure Identity Token.

Expand
titleI use the University's DaRIS system. WIll this change affect me?

We are not enabling MFA for DaRIS.

Expand
titleI automatically upload large amounts of data. How can I do this without being bothered by many MFA requests?

Any projects or users currently using the Mediaflux platform will need to use the new Mediaflux MFA once it is fully implemented in Q4 2024. If your project uses the Mediaflux platform, this change will apply. If you'd like to automatically upload large amounts of data via SFTP, SMB or HTTPS you can apply for a Secure Identity Token.

Expand
titleIs it possible to opt out of this MFA for certain projects/ initiatives. If so, what is the process.

When fully deployed, all users Mediaflux Users (both internal and external to the university) will be required to use MFA when logging in with a username and password. If you have a workload that requires it, you can apply for a Secure Identity Token. This will bypass MFA.

Enrolment​

Expand
titleWhat if I don't have a smartphone?

An Android or Apple smartphone is required to use MFA with Mediaflux. If you do not have a smartphone please contact Research Computing Services for assistance.

...

Expand
titleWhat are the minimum requirements for downloading Mediaflux Pocket to my smartphone?
  • iOS 13.4 or later

  • Android 6.0 or later

Usage​

Expand
titleWhen and how often will I be prompted by Mediaflux Pocket for MFA?​

You will be prompted for MFA the first time you log in from each computer (based on its IP address) within a 24 hour period. Subsequent logins from the same computer, even if they are via a different protocol, will not send a push notification.

If you receive a notification for activity that you don’t recognise, you should contact Research Computing Services immediately.

...

Contact RCS (Research Computing Services)