On October 10, 2022, U of T announced that University of Toronto multi-factor authentication (UTORMFA) will be mandatory for all graduate and undergraduate students effective by the new year. 

In an email to The Varsity, Isaac Straley, chief information security officer at U of T, wrote that “students will continue to be invited to self-enroll into MFA until the end of December 2022.” He explained that students who do not self-enroll “will be automatically enrolled in MFA during the months of January and February 2023.” 

MFA was introduced to U of T in October of 2020, but the decision to make MFA compulsory comes as students have been met with increased phishing efforts over the last year. Several online services are also adopting MFA, such as social media sites and banks. 

MFA, also called two-step or two-factor verification, adds an additional layer of security to traditional log-in practices by requiring a ‘second factor’ — the first factor being your username and password — to verify the identity of the person logging in. 

This second factor can be one of a range of things, such as a fingerprint, a code received via text or phone call, or a verification app.“[MFA] is the best control to stop fraud and identity theft,” said Straley. 

U of T currently uses DUO mobile as the mobile verification app for UTORMFA. When attempting to log into a U of T service, such as Quercus or ACORN, those who are enrolled in MFA will receive a notification on the DUO mobile app to confirm their identity when logging in. 

Apple and Android devices both support DUO mobile, which is free of charge on Google Play and the Apple App Store. Students can self enroll online on the Information Security and Enterprise Architecture website, and on a link found on the UTORMFA banner announcement on Quercus. 

Other universities that have incorporated MFA into their logins include UOttawa, Laurentian University, York University, and Waterloo University. 

If a student is a victim of a phishing scam, the MFA is activated and sends a prompt through email or the app to the student to confirm their identity, providing another layer of defense.

As of November 4, approximately 25 per cent of the student body had self enrolled. While students continue to sign up daily, Straley added that the measure is not foolproof and said that students should remain vigilant to avoid falling for phishing scams. 

A spokesperson from U of T explained that students can report phishing scams they have received “by using the ‘report message’ function in the Office 365/UTMail+ inbox or by contacting [email protected].” 

As well, students who are victims of scams should contact their bank and credit card company, in addition to Campus Safety or the Toronto Police.