COVID-19 Advice for the JCU Community - Last updated: 6 July 2022, 2pm (AEST)

IT Services Secure IT Multi-Factor Authentication (MFA)

Multi-Factor Authentication (MFA)

Multi-Factor Authentication (MFA) is a measure which improves account security over standard password authentication. MFA typically adds a second factor to confirm your identity by using an authenticator app on your mobile device or a compatible hardware device. MFA will help keep your information secure by strengthening defences against malicious cyber-attacks. You may not always be asked for MFA when logging in, however it will always be in use.

Once you have created your MFA login, you will need to have your registered mobile device with you whenever you need to log into a JCU system, like LearnJCU or your email.

MFA will be mandatory for all from the 1st of September 2022, please refer to the Student MFA Rollout schedule for specific dates.


About MFA:

Most breaches begin when attackers log in using usernames and passwords they have compromised through phishing attacks, passwords being reused, guessing passwords and malware.

MFA reduces the risks associated with compromised passwords by adding an additional layer of security to protect your information. If your password is hacked or phished, MFA makes the stolen password less useful by itself.

When multi-factor authentication has been activated on an account, an authorisation check will be sent to the user any time they attempt to log in from a different device, a new location, or multiple locations. Authorisation checks may also be required after a set time has elapsed, or as the result of a higher risk login.  The authorisation check can come in the form of:

  • a push notification sent to a registered smart phone;
  • or a one-time password displayed on the user's phone;
  • or a compatible hardware device (e.g.: YubiKey)

Using your existing mobile phone is often the most convenient form of MFA.

  1. Push notification:  with ForgeRock Authenticator app on your mobile phone iOS or Android
  2. One Time Password (OTP):  e.g. with Google Authenticator app
  3. Compatible Hardware Device: (cost involved) ​​​​​​​with a YubiKey​​​​​​​

To set up MFA at JCU:

  1. Install the ForgeRock Authenticator app on your mobile phone iOS or Android and register for MFA using ForgeRock (download pdf).
    Install the Google Authenticator on your mobile phone (Android or iPhone/iPad) and follow the steps for your device (Android or iPhone/iPad ) to register your mobile phone for MFA.
    Follow the steps to register you Compatible Hardware Device (YubiKey) for MFA.
  2. When you login to a JCU system (once MFA-enabled) you will be prompted to register your mobile phone/hardware device for MFA.​​​​​​​
  3. Remember to save your Recovery Codes when they are displayed through the registration process to somewhere secure. Consider these Recovery Codes as your one-time passwords to log in if you don't have your mobile phone on you. Keep them safe and secure.

More details on how to set yourself up for MFA are available in the Service Now Knowledge Base Article - MFA at JCU .

Common Questions

Answers to common MFA questions:

No. JCU’s MFA uses an adaptive, risk-based approach.  If you use the same computer or device, from the same place, you will be prompted for MFA infrequently (up to 30 days).  If you are moving around between different networks, devices and geographic locations, you’ll be prompted more often.

If you don’t have a mobile device or don't want to use your personal device for MFA, then either:

This hardware token must always be available while working or studying.

If you get a new phone or are changing to a different device, the ForgeRock App is not transferrable. You will need to either:

ForgeRock Push Authentication needs internet connectivity (e.g., mobile data/Wi-Fi).  If you are worried about frequent device data/Wi-Fi reception we recommend purchasing a YubiKey, or if this is a one-off or infrequent issue you can use the Recovery Codes you saved when setting up MFA, which doesn’t require a second device to confirm MFA.

Please note: you should not be using your recovery codes for regular MFA authentication as you will need to reset your device to generate new codes.

If you leave your phone at home you will need to use one of the recovery codes you received when setting up MFA.  Recovery codes are one-time use and should be stored in a Password Safe (e.g.: LastPass or Bit Warden) for security.

If you have used all of the one-time Recovery Codes for MFA you will need to reset your MFA  preference to generate new codes.

If you are having trouble resetting your MFA please contact the IT HelpDesk.

If you have accidentally deleted your Authenticator App, please contact the IT Help Desk for assistance.

If you are unable to use a phone for authentication, staff can request a YubiKey and students can purchase a Yubikey (Security Key NFC).
If you are a current JCU Student experiencing financial hardship you can apply for a Yubikey provided by JCU using this online form.

A Hardware Device (eg: a YubiKey), is a small key that plugs into your computer or by NFC to your mobile phone and, along with your password, is used to authenticate your identity.

If you need a Hardware Device, staff can request a YubiKey and students can purchase a Yubikey (Security Key NFC) from trust Panda
If you are a current JCU Student experiencing financial hardship you can apply for a Yubikey provided by JCU using this online form.

If you are unsure of the best option for your circumstances, please contact the IT HelpDesk for advice.

No.  All the MFA methods used by JCU do not reveal any personal information to JCU.  Privacy settings can be managed by the privacy controls on your mobile phone.