Logo easyauth.ch

Frequently Asked Questions

How is a student onboarded to use the MFA?

For the student, no onboarding is required. Once the MFA is setup and delivered, it is used without any onboarding.

How does an IT admin onboard a new student?

The MFA is setup on the Entra ID tenant. Any users which are a member of the MFA security group can use the code card MFA service.

Is it safe to use a 10x5 code card?

A 10x5 card is 50 codes which are randomly selected with every attempt. This makes it unlikely that an attacker can guess the code. 10x10 code cards are the maximum size.

Can I use different code lengths, columns, and rows per student?

Yes, each student can have a uniquely sized card and varying code lengths. This flexibility allows for customization based on individual needs.

How long does it take to generate codes for 20000 students?

SHA512 20000 codes = ~3.5 hrs 10x5. Batch size: 100 => ~60 seconds.

How should the code cards be distributed?

Code cards should be distributed through a reliable non-electronic method, such as a trustworthy postal service.

What happens when a code card is stolen?

If a code card is stolen, it can be promptly invalidated using the student administration API.

How can I replace an existing code card?

When a new code card is created, the existing code card of the corresponding user is automatically invalidated.

How are the codes persisted?

The codes are persisted using a HASH: Rfc2898DeriveBytes.Pbkdf2 with the SHA512 algorithm.

How are authentication attacks prevented?

Attempts are limited to three per session to prevent brute force attacks.

What permissions are used by the external authentication method multi-tenant App registration?

The app registration process requests access solely to the user's profile data, which is delegated. This means that the app will only have permission to access the user's profile information, such as their name, email address, and other basic details, as authorized by the user. No additional permissions or data access are requested beyond this scope.

How are the certificates used to sign the OpenID Connect server tokens?

The encryption and signing certificates are created and used directly from a secure Azure Key Vault. The Azure Key Vault is not accessible on the internet.

Can an OID (representing a user) exist in different tenants?

No. Each OID can only existing in a single tenant.

Should a student have the possibility to use other MFA authentication methods as well as the code code MFA server?

It is not recommended to support multiple MFA authentication methods if using the code card MFA. This leads to a bad user experience in the Microsoft Entra ID UI.

Are screen readers supported?

Yes, the MFA UI fully supports screen readers and static WCAG standards.