Frequently Asked Questions
How is a student onboarded to use the MFA?
For the student, no onboarding is required. Once the MFA is setup and delivered, it is used without any onboarding.
How does an IT admin onboard a new student?
The MFA is setup on the Entra ID tenant. Any users which are a member of the MFA security group can use the code card MFA service.
Is it safe to use a 10x5 code card?
A 10x5 card is 50 codes which are randomly selected with every attempt. This makes it unlikely that an attacker can guess the code. 10x10 code cards are the maximum size.
Can I use different code lengths, columns, and rows per student?
Yes, each student can have a uniquely sized card and varying code lengths. This flexibility allows for customization based on individual needs. Options:
Capital letters and numbers | Lowercase letters and numbers | Capital letters, lowercase letters and numbers
How long does it take to generate codes for 20000 students?
SHA512 20000 codes = ~3.5 hrs 10x5. Batch size: 100 => ~60 seconds.
How should the code cards be distributed?
Code cards should be distributed through a reliable non-electronic method, such as a trustworthy postal service.
What happens when a code card is stolen?
If a code card is stolen, it can be promptly invalidated using the student administration API.
How can I replace an existing code card?
When a new code card is created, the existing code card of the corresponding user is automatically invalidated.
How are the codes persisted?
The codes are persisted using a HASH: Rfc2898DeriveBytes.Pbkdf2 with the SHA512 algorithm.
How are authentication attacks prevented?
Attempts are limited to three per session to prevent brute force attacks.
What permissions are used by the external authentication method multi-tenant App registration?
The app registration process requests access solely to the user's profile data, which is delegated. This means that the app will only have permission to access the user's profile information, such as their name, email address, and other basic details, as authorized by the user. No additional permissions or data access are requested beyond this scope.
How are the certificates used to sign the OpenID Connect server tokens?
The encryption and signing certificates are created and used directly from a secure Azure Key Vault. The Azure Key Vault is not accessible on the internet.
Can an OID (representing a user) exist in different tenants?
No. Each OID can only existing in a single tenant.
Should a student have the possibility to use other MFA authentication methods as well as the code code MFA server?
It is not recommended to support multiple MFA authentication methods if using the code card MFA. This leads to a bad user experience in the Microsoft Entra ID UI.
Are screen readers supported?
Yes, the MFA UI fully supports screen readers and static WCAG standards.
Can I use on-premise exchange server with easyauth.ch?
Yes, Exchange Hybrid must be enabled and Hybrid Modern Authentication can be used. See: How to configure Exchange Server on-premises to use Hybrid Modern Authentication
Can the login dialog be customized more than just the logo and the color?
Yes, simple customization is possible. The following html elements can be customized:
Login page title, Login hint, Help link text, Help link target, Show grid card ID (optional, different formats), Image für Logo, Default Language, Service Name, Amount of columns and rows (for code cards)
How is the retry logic after 3 failed login attempt implemented? Just in easyauth.ch or also in Entra ID?
After three failed login attempts, the easyauth.ch service is suspended for one minute. After 12 attempts, the user is notified, and IT receives an email informing them that the user has had 12 failed login attempts. This approach protects against DDOS attacks without blocking the entire user from all Entra functions.