Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 66 Next »

Find out how to set up and use multifactor authentication (MFA) for logging into Mediaflux

All users will soon need to perform multifactor authentication (MFA) whenever they log into Mediaflux (with only a few exemptions).

Users will need a smartphone app called Mediaflux Pocket in order to receive MFA push notifications when they log in to Mediaflux.


Setting up MFA on your account

You will need to go through a one-time set up process to enrol your account for MFA.

You will need two devices to complete this process:

  1. YOUR PHONE (for the Mediaflux Pocket app parts)

  2. YOUR PC (for the Mediaflux Pocket Registration Portal parts)

STEP 1: Install the Mediaflux Pocket app on your smartphone

You will need to install the Mediaflux Pocket app on your smartphone. You can either click the relevant link below or search for Mediaflux Pocket in your app store.

Android devices

https://play.google.com/store/apps/details?id=com.arcitecta.mediafluxpocket&pcampaignid=web_share

Apple devices

https://apps.apple.com/au/app/mediaflux-pocket/id1578392452

STEP 2: Enrol your account for MFA

  1. Go to the Mediaflux Pocket Registration Portal on your PC (not the Mediaflux Pocket app on your smartphone).

  2. Log in with the same domain and credentials that you usually use to log into Mediaflux.

    • If you are a University of Melbourne academic researcher (staff), you likely log into Mediaflux with the domain unimelb and your central UoM username and password.

    • If you are University of Melbourne graduate researcher (student), you likely log into Mediaflux with the domain student and your central UoM username and password.

    • If you are a researcher external to the University of Melbourne, you likely log into Mediaflux in one of two ways:

      • with the domain local and the username and password that you were sent when creating the account.

      • with the domain unimelb and the username and password for the Active Directory system account that you registered for.

Screenshot from 2024-04-18 13-48-49.png
  1. Click the QR code in the resulting screen to unblur it.

Screenshot from 2024-04-18 13-52-05.png
  1. Open the Mediaflux Pocket app on your phone, and click the orange plus button in the bottom right of the app.

Screenshot_20240418-135233.png
  1. Point your phone’s camera at the Mediaflux Pocket Registration Portal’s QR code to scan it.

Some smartphones may require you to actively allow Mediaflux Pocket access to your phone camera before you can scan.

Screenshot_20240418-135256.png
  1. Give your account and device a name, then click Enrol.

Screenshot_20240418-135308.png
  1. The Mediaflux Pocket Registration Portal will confirm your successful enrolment with the following screen, which also shows the account that you have enrolled in at the top right of the screen.

Screenshot from 2024-04-18 13-53-37.png

Using MFA to log in to Mediaflux

Once you are enrolled for MFA, you will receive MFA push notifications on your smartphone when you log in to Mediaflux.

You will only be prompted the first time you log in from a given computer on a given day:

  • subsequent logins from the same computer shouldn't require you to accept any MFA push notifications

  • but if you log in from another computer, you will be prompted again

The log in process will be slightly different per each different Mediaflux client:

Mediaflux Explorer

To log in with Mediaflux Explorer, enter your domain, username and password as usual. Once you click the Sign in button the login process will pause until you have accepted the MFA push notification in the Mediaflux Pocket app on your phone.

Screenshot from 2024-04-18 13-56-38.png

Network Share (SMB Protocol)

Map your Mediaflux project as a Network Drive on Windows, enter your domain\username and password as usual. Once you click the OK button the login process will pause until you have accepted the MFA push notification in the Mediaflux Pocket app on your phone.

map-network-drive1.png

map-network-drive2.png

The equivalent login step on each platform will cause a push notification to be sent. Additionally, if you keep the network share connected to your computer (see the Reconnect at sign-in checkbox above), you may be prompted again if the connection drops and reconnects. See the Network Share (SMB Protocol) page for more information on using SMB network shares on all platforms.

SFTP with Filezilla

To log in with Filezilla using sFTP (Secure File Transfer Protocol), enter your domain, username and password as usual. Once you click the OK button the login process will pause until you have accepted the MFA push notification in the Mediaflux Pocket app on your phone.

Screenshot from 2024-04-18 14-50-41.png

Web aterm

To log in with Mediaflux Web Aterm, enter your domain, username and password as usual.

Screenshot from 2024-04-18 13-54-27.png

Once you click the Log in button the login process will display the following screen informing you that an MFA push notification has been sent to the Mediaflux Pocket app on your phone:

Screenshot from 2024-04-18 13-54-31.png

More information is available for Mediaflux Aterm.

Mediaflux Unimelb Command-Line Clients

To log in with the Mediaflux Unimelb Command-Line Clients, enter your domain, username and password to the configuration file as usual. Once you enter your password, the login process will pause until you have accepted the MFA push notification in the Mediaflux Pocket app on your phone.

Screenshot from 2024-04-18 14-00-02.png

Mediaflux Desktop

To log in with Mediaflux Desktop, enter your domain, username and password as usual. Once you click the Login button the login process will pause until you have accepted the MFA push notification in the Mediaflux Pocket app on your phone.

Screenshot from 2024-04-18 13-55-27.png

Unenrolling from Mediaflux Pocket

While MFA will be mandatory (with certain use case exceptions detailed below), you may need to unenrol from it when:

  • as a piloting tester in the pre-mandatory phase, you’ve finished your testing and want to disable the MFA until it actually becomes mandatory for all users

  • changing/updating your mobile device (because swapping your MFA from one smartphone to another involves first unenrolling, then re-enrolling in MFA)

Important: Unenrolling from Mediaflux Pocket does NOT enable access to Mediaflux without MFA. Once MFA is mandatory, Mediaflux will be inaccessible without it, regardless of whether you’re enrolled in Mediaflux Pocket or not. Unenrolling merely dissociates your Mediaflux account from the Mediaflux Pocket app on a particular smartphone (usually so that you can reestablish it on a different smartphone).

  1. Go to the Mediaflux Pocket Registration Portal on your PC (not the Mediaflux Pocket app on your smartphone)and log in.

  2. Click the Disable MFA button.

unenrol-from-mfa.png
  1. You will see the following screen indicating that you have successfully unenrolled.

unenrolled.png

Exemptions

There are some exemptions to having to perform MFA in order to log in to Mediaflux: shared links, Data Mover shareables, and secure identity tokens.

Shared links can be created in Mediaflux Explorer in order to share a location with an unauthenticated user. See Direct Shareable Links for more information.

Data Mover

Data Mover allows you to share data with others. These users are not required to log in to access the data you have shared and so will not be required to use MFA.

Secure identity tokens

Secure identity tokens can be used to authenticate with the Mediaflux Unimelb Command-Line Clients, sFTP (Secure File Transfer Protocol) and Network Share (SMB Protocol).

If you need to automate uploads in an unattended fashion from a server or instrument PC, you may apply for a secure identity token. The advantages of this approach are:

  • Uploads will not require an MFA push notification to be actioned

  • Your university credentials do not need to be stored on the source machine

  • If a token is compromised, this will not compromise your university credentials

See Secure identity tokens for more information or to apply for a token.

Pilot program meeting recording

The initial Mediaflux MFA pilot program meeting was recorded and is available below for those who were unable to attend.

MFA pilot meeting.mp4

FAQs

General

 What’s Changing?

Multifactor authentication (MFA) will be implemented for the University’s Mediaflux service. This means that in addition to signing in with your existing credentials, you will soon also need to authenticate via a secondary app on your mobile device to access the Mediaflux service.

 Why is Mediaflux not covered by the University of Melbourne SSO or multifactor authentication process?

Okta does not work for all of the different protocols offered by Mediaflux. Okta does not support MFA beyond browser-based access and is not sufficient to address the comprehensive needs of the many Mediaflux user access points and profiles. For this reason, the University is implementing MFA specifically for Mediaflux.

 Will MFA be used for web or desktop clients?

MFA will apply to all clients when logging in with usernames/passwords.

 Will MFA affect mounts that are already in place?

MFA will affect existing mounts when the mount is re-authenticated. Re-authentication typically usually happens several times a day.

 Does this change affect Unimelb service users?

Yes. This change is applicable to any user who logs in to the Mediaflux service using a username and password.

 What is the timeline for this change?

User acceptance testing of this MFA solution was completed in late May. The next step is for a 4–5-week pilot phase due to commence in early September.

Full roll out is planned for Quarter 4, 2024.

 How will this change affect long-lived SMB mounts on servers or instrument PCs?

Production loads using SMB mounts will need to set up MFA on their Unimelb account. If you require long-lived SMB mounts then you may also need to apply for an SMB Secure Identity Token.

 I use the University's DaRIS system. WIll this change affect me?

We are not enabling MFA for DaRIS.

 I automatically upload large amounts of data. How can I do this without being bothered by many MFA requests?

Any projects or users currently using the Mediaflux platform will need to use the new Mediaflux MFA once it is fully implemented in Q4 2024. If your project uses the Mediaflux platform, this change will apply. If you'd like to automatically upload large amounts of data via SFTP, SMB or HTTPS you can apply for a Secure Identity Token.

 Is it possible to opt out of this MFA for certain projects/ initiatives. If so, what is the process.

When fully deployed, all users Mediaflux Users (both internal and external to the university) will be required to use MFA when logging in with a username and password. If you have a workload that requires it, you can apply for a Secure Identity Token. This will bypass MFA.

Enrolment​

 What if I don't have a smartphone?

An Android or Apple smartphone is required to use MFA with Mediaflux. If you do not have a smartphone please contact Research Computing Services for assistance.

 Where can I download the Mediaflux Pocket app?​

You can download Mediaflux Pocket to your smartphone by visiting the Android Play Store or Apple App Store, or by searching for ‘Mediaflux Pocket’ on your phone’s app store.

Once you have installed the app on your smartphone, please use our ‘Setting up your MFA’ guide to complete MFA enrolment.

 What if I don’t want to download the Mediaflux Pocket app on my smartphone?

I am concerned about my privacy:

  • The Mediaflux Pocket app has passed through the App Store and University vetting processes

  • The University has no access to the app on your phone and cannot view any of the data on your phone, other apps installed, monitor calls or track your location

  • The app does not require you to link it to a particular phone number

I am concerned about using my personal smartphone:

  • The University encourages all staff and students to use their personal device to verify their identity

  • Providing a University-issued device to each user is not possible due to the high cost

  • The security provided by MFA greatly enhances the protection of not just University information but also your personal information

  • The use of MFA is a requirement for ongoing access to University services

I am concerned about the performance impact on my smartphone:

  • The app uses minimal resources on your smartphone and prompts you only when Mediaflux Pocket needs you to verify your current log in

 Why do I have to install yet another MFA app on my phone? Can't I just use Okta to log in to Mediaflux?

Mediaflux is an external product used, but not owned, by the University. The product provider has helped make our Mediaflux use here at UoM much safer by incorporating multifactor authentication into the product for us. But in selecting an optimal tool to facilitate this, the provider has chosen their own new Mediaflux app (Mediaflux Pocket) over any existing MFA tool that the University already uses (such as Okta). While this decision means installing another MFA app on our phones to safely use Mediaflux, the good news is that the provider is further developing their app to include all sorts of useful features for frequent Mediaflux users, so stay tuned for updates!

 Do I need to keep the Mediaflux Pocket app on my smartphone, once I have enrolled for MFA?​

Yes, you will need the Mediaflux Pocket app to accept MFA authentication push notifications when you log in to Mediaflux. If you have accidentally deleted the app, please contact Research Computing Services for assistance.

 What are the minimum requirements for downloading Mediaflux Pocket to my smartphone?
  • iOS 13.4 or later

  • Android 6.0 or later

Usage​

 When and how often will I be prompted by Mediaflux Pocket for MFA?​

You will be prompted for MFA the first time you log in from each computer (based on its IP address) within a 24 hour period. Subsequent logins from the same computer, even if they are via a different protocol, will not send a push notification.

If you receive a notification for activity that you don’t recognise, you should contact Research Computing Services immediately.

 What happens if I get a new smartphone?

When you get a new smartphone, you will need to unenrol from your old phone (see our unenrolling guide) and enrol with your new phone (see our enrolling guide). If you require assistance with this process please contact Research Computing Services.

 What happens if I lose my smartphone?

If you lose your smartphone, we can temporarily disable MFA for you, and we can also assist you with enrolling your new phone once you have a replacement. Please contact Research Computing Services for assistance.

 Can I get temporary exclusion from Multifactor Authentication?​

Yes, we can temporarily disable your MFA if you encounter issues such as losing your phone, not being able to bring your phone into certain workspaces, and so on. Contact Research Computing Services for assistance.

 I think my University account may have been compromised. What should I do?

If you encounter suspicious activity on your University account, please immediately contact the Service Centre (Staff) or 13MELB (Students) for assistance.

 Where can I get support for my MFA questions and issues?

Please contact Research Computing Services with any Mediaflux Pocket MFA queries or issues.

Contact RCS (Research Computing Services)

  • No labels