ictc.kfupm.edu.

sa

Multi-factor
authentication
(MFA)

FAQS

©ICTC ,King Fahd University of Petroleum & Minerals. All Rights Reserved.
 FAQs
Contents
1. What is One Time PIN (OTP)? ........................................................................................................ 3
2. What is multi-factor authentication (MFA)? ............................................................................. 3
3. What will happen to Google Authenticator? ......................................................................... 4
Google Authenticator will be replaced by Authlogics (PINgrid / PINpass) technology..... 4
4. What is PINpass OTP? ...................................................................................................................... 4
5. What is PINgrid OTP? ....................................................................................................................... 4
7. How to setup (MFA) initially? ........................................................................................................ 5
8. Do we have to set up (MFA) every time?................................................................................. 5
9. Where will (MFA) be used? ........................................................................................................... 5
10. Is it mandatory to use (MFA) for KFUPM services? .............................................................. 6
11. How to add user devices for (MFA)? ..................................................................................... 6
12. Which devices can be used for Authlogics Authenticator? .......................................... 6
13. Can a user enroll multiple devices for (MFA)? .................................................................... 6
14. How often do we have to re-authenticating? .................................................................... 6
15. I have lost my (MFA) registered device, what should I do? ............................................ 6
16. How to remove a device from MFA Self-Service portal? ................................................. 7
17. How long does the PINpass and PINgrid OTPs last?........................................................... 7
18. How many colors in PINgrid pattern should I choose? ..................................................... 7
19. Which patterns are not acceptable in PINgrid Token? .................................................... 7
20. Do I need to setup Authlogics Authenticator Application on the devices from
where I’m accessing KFUPM services? .............................................................................................. 7
21. What types of attacks does (MFA) prevent? ....................................................................... 7
22. Can I add same device to more than one account? ..................................................... 8
23. How to change/replace the device? ................................................................................... 8
24. I uninstalled and reinstalled Authlogics Authenticator app and since then I am
not able to logon to MFA Self-Service portal or to my E-mail. .................................................... 8

©ICTC ,King Fahd University of Petroleum & Minerals. All Rights Reserved 1
©ICTC ,King Fahd University of Petroleum & Minerals. All Rights Reserved 2
 1. What is One Time PIN (OTP)?

A One Time PIN (OTP) is typically a short sequence of numbers, similar to a PIN, however
you don't have to remember anything and the numbers change every time you use it.

2. What is multi-factor authentication (MFA)?

(MFA) is quite simple, and organizations are focusing more than ever on creating a smooth
user experience for Authentication. In fact, you probably already use it in some form. For
example, you’ve used (MFA) if you’ve:

• Swiped your bank card at the ATM and then entered your PIN (Personal ID Number).
• Logged into a website that sent a numeric code to your phone, which you then
entered to gain access to your account.

(MFA), sometimes referred to as two-factor authentication or 2FA, is a security

enhancement that allows you to present two pieces of evidence – your credentials –
when logging in to an account. Your credentials fall into any of these three categories:
something you know (like a password or PIN), something you have (like a smart card), or
something you are (like your fingerprint). Your credentials must come from two different
categories to enhance security – so entering two different passwords would not be
considered multi-factor.

In KFUPM, MFA will be implemented as 2FA using Authlogics’ PINpass and PINgrid pins.

©ICTC ,King Fahd University of Petroleum & Minerals. All Rights Reserved 3
 3. What will happen to Google Authenticator?

Google Authenticator will be replaced by Authlogics (PINgrid / PINpass) technology.

4. What is PINpass OTP?

PINpass One Time Pin (OTP), also called onetime code, generated on a separate
device without the cost and complexity of traditional hardware token solutions.
The PINpass OTP can be provided via the free Authlogics Authenticator mobile
application. The PINpass OTP is used as MFA for KFUPM services such as
https://mail.kfupm.edu.sa,
https://password.kfupm.edu.sa, https://vpn.kfupm.edu.sa

5. What is PINgrid OTP?

PINgrid is a simple-to-use but solid authentication technology which uses a secret

user-generated shape or pattern to generate a One-Time Pin (OTP). Your pattern
remains secret but the OTP it generates changes every time you logon.

©ICTC ,King Fahd University of Petroleum & Minerals. All Rights Reserved 4
 6. When to use PINpass OTP and When to use PINgrid OTP?

Both can be used interchangeably. Some services like https://mail.kfupm.edu.sa are

easier with PINgrid as the grid pattern is available on the web page itself and the
secondary device to get the OTP is not needed.

7. How to setup (MFA) initially?

a) You should receive an enrollment E-mail containing the login details.

b) Visit MFA Self-Service portal i.e. https://mfa.kfupm.edu.sa to manage your
account and to add your mobile device.
c) Enter your KFUPM credentials for logging on for the first time.
d) Download Authlogics Authenticator application on any supported device and
link it with your account. The application is available on Apple Store, Android
Store, Microsoft Store and Amazon Store.

e) Copy Device ID from the application’s settings

f) Go back to Devices in MFA portal and add the Device using ID.
g) Congrats, you have setup (MFA) once the application is linked.
h) For more detailed steps, please refer to the below documents:
i. How to install Android app and add Android device
ii. How to install iOS app and add iOS device
iii. How to install Windows Store app and add Windows device

For detailed step by step guide, please follow “Multi-factor Authentication (MFA) –
User Guide”

8. Do we have to set up (MFA) every time?

MFA setup is required in following conditions;

i) Once it’s enabled for you for the first time.
j) Whenever you change your device.
k) Whenever you want to add a new additional device for MFA.
l) Whenever you re-install the Authlogics Authenticator application in your mobile
device.

9. Where will (MFA) be used?

Initially, it will be used to access web email i.e. https://mail.kfupm.edu.sa,

https://password.kfupm.edu.sa, https://vpn.kfupm.edu.sa. Subsequently, it will be
applied to all other KFUPM services. The ICTC will keep on informing KFUPM community
as and when services will be enabled for (MFA).

©ICTC ,King Fahd University of Petroleum & Minerals. All Rights Reserved 5
 10. Is it mandatory to use (MFA) for KFUPM services?

Yes, it is mandatory as it adds another layer of protection from the kinds of damaging
attacks that cost university its reputation as well as hamper business communication.

11. How to add user devices for (MFA)?

There are multiple ways you can add your device:

i. How to install Android app and add Android device
ii. How to install iOS app and add IOS device
iii. How to install Windows Store app and add Windows device

For detailed step by step guide, please follow “Multi-factor Authentication (MFA) –
User Guide”

12. Which devices can be used for Authlogics Authenticator?

Authlogics Authenticator application is available for: Android platform, iOS platform,

and Windows platform.

13. Can a user enroll multiple devices for (MFA)?

Yes, the user can enroll multiple devices for (MFA).

14. How often do we have to re-authenticating?

Every time you need to login in to an MFA enabled service, OTP authentication is
required.

15. I have lost my (MFA) registered device, what should I do?

You can use a secondary device if it is added in your MFA Self-Service portal, to logon
to MFA or any other MFA enabled service e.g. mail.kfupm.edu.sa.

In case, you lost your only device that was added in your MFA Self-Service portal, then,
call helpdesk at 3111. Helpdesk personnel will allow you to use your domain
credentials temporarily so that you can on-board a new device in the self-service
portal to do so,
a. Go to https://mfa.kfupm.edu.sa
b. Use domain credentials KFUPM <username>/<password> to sign-in to MFA Self-
Service portal.
c. Add device as mentioned in the previous question <How to add user devices
for (MFA)?>

©ICTC ,King Fahd University of Petroleum & Minerals. All Rights Reserved 6
 16. How to remove a device from MFA Self-Service portal?
a. Go to https://mfa.kfupm.edu.sa
b. Use domain credentials KFUPM <username>/<password> to sign-in to MFA Self-
Service portal.
c. Go to Devices in the left hand side menu
d. Select the device from the list and click remove

17. How long does the PINpass and PINgrid OTPs last?

Since the PINpass is a One-Time-Password (OTP), therefore it is usable only once, and
it changes every 60 seconds

18. How many colors in PINgrid pattern should I choose?

At minimum, the pattern must exist in two colors.

19. Which patterns are not acceptable in PINgrid Token?

Following are unaccepted patterns

1. All consecutive or connected boxes in a single row.

2. All consecutive or connected boxes in a single column.
3. All diagonal boxes.
4. All six boxes are chosen from a single color.

20. Do I need to setup Authlogics Authenticator Application on the devices

from where I’m accessing KFUPM services?

Setup the Authlogics Authenticator application only on the devices that belong to
you e.g. your mobile phone, your tablet, your desktop/laptop etc. The second factor
is actually "something you have", so that only you can see your OTP. If you add
someone else's device in your MFA Self-Service portal, you would end up revealing
your OTP to that person and eventually compromise your authenticity.

21. What types of attacks does (MFA) prevent?

(MFA) prevents an attacker from many attacks such as man-in-the-middle attack,

sniffing attack, shoulder surfing attack, dictionary attack, session replay attack etc.

©ICTC ,King Fahd University of Petroleum & Minerals. All Rights Reserved 7
 22. Can I add same device to more than one account?

This is against security practices. We strictly advise not to add one device to more than
one user account. If a device is added to more than one account, it would mean that
those account holders or users share the same second-factor-passcode as in sharing
the same password!

23. How to change/replace the device?

It’s a two-step process and there are two approaches for it.

Approach # 1:

1. Go to MFA Self-Service portal, delete the enrolled device's information

2. Next, uninstall the MFA application from mobile device.

Now, the user will be able to login to MFA Self-Service portal with his KFUPM AD
credentials and then add the new device easily.add the new device easily.

Approach # 2:

1.Install Authlogics app in the new device and then add the new device in MFA
Self-Service portal
2. Remove the old device from MFA Self-Service portal.

24. I uninstalled and reinstalled Authlogics Authenticator app and since then I
am not able to logon to MFA Self-Service portal or to my E-mail.

If you have already done this, then call 3111 and take help from support guys to add
the new device ID in your MFA Self-Service portal. Note that every installation of
Authlogics Authenticator generates a new device ID. As soon as you uninstalled the
Authlogics application, your device got unlinked with your MFA profile thus making
your device unusable for PIN passcode.

Following are the right steps if you want to uninstall and reinstall the Authlogics
Authenticator application;

1. Logon to MFA Self-service Portal, https://mfa.kfupm.edu.sa

2. Go to Devices.

3. Select the already added device and remove it. Keep the portal signed in.

©ICTC ,King Fahd University of Petroleum & Minerals. All Rights Reserved 8
 4. On your windows PC, uninstall and reinstall Authlogics Authenticator app.

5. Go back to MFA Self-Service portal.

6. If the session is already signed in, just add the device again. Get the Device ID (12-
digit number) from the newly installed Authlogics app. (NOTE: Device ID changes
with new installation). On the other hand, if session of MFA Self-Service portal is
ended then write your username in username box and then click on "logon using
Windows credentials". Add the device under Devices. Do not close the MFA Self-
Service portal.

7. Open an incognito browser window and try sign-in to MFA Self-Service portal with
the PIN generated by the newly installed Authlogics app. If it works, you are good to
go with E-mail access too. You can now close all browsers and resume your work. If
you are unable to sign-in to MFA Self-Service portal with the new PIN, then go back to
already open MFA Self-Service portal and verify the device ID.

©ICTC ,King Fahd University of Petroleum & Minerals. All Rights Reserved 9