Important message: Make sure you complete your migration to WELCOME to allow you to use the fingerprint or Windows pin methods of MFA. Read here to find out about the WELCOME migration.

The Knowledge Management team together with PMO.6 organized a Knowledge Exchange Hour on the topic of Multi Factor Authentication (MFA). This highly informative session covered the technical aspects of MFA, which MFA options are available, and demonstrated the importance of implementing MFA in PMO's IT systems. 

The Knowledge Hour, which featured guest speaker Panagiotis Poulopoulos from the EU Login team in DIGIT D.3, was attended by an audience of approx. 200 people from across the PMO. It was clear that this was a highly anticipated topic for the Knowledge Hour series which proved to pique the interest of the PMO colleagues who are required to use MFA to complete their daily work.

The opening check-in with the audience demonstrated that the majority of our PMO colleagues are familiar with using the EU Login Mobile App with a pin or QR code as their main option for MFA.

The presentation began with an explanation from Panagiotis on the IT security framework which lays down the rules and principles for applying MFA in IT systems across the Commission. He highlighted that this is mandatory for IT systems handling sensitive non-classified information (SNC). He continued by illustrating that in practice when logging into an account, MFA is the combination of what the user already knows (the password) plus an additional factor of authentication of something the user has (e.g mobile app, security token). The audience then got to see the different options available to use which include SMS, EU Login app, Security Token, Trusted Platform, hardware token or eID. He concluded the presentation by illustrating the benefits and challenges of applying MFA across the Commission.

The burning questions 

The session was highly engaging with a lot of activity from the audience during the QnA. The following presents an overview of the main conclusions that arose: 

• A poll conducted during the session required the audience to identify what MFA protects against. Khiem Dao PMO.6, responsible for IT Security, shared insights on the correct results of this poll, indicating that MFA acts as a security measure to protect against malicious attacks from hackers and to prevent password leakages outside the EC.
• There is a strong recommendation from DIGIT that if you are used to using the same second factor to authenticate when accessing PMO IT systems, such as the EU Login mobile app, it is best practice to have a back-up factor configured in case you misplace your phone. 
• During an intervention from Osvaldo Mattana PMO.6, he encouraged those that are in the WELCOME domain to use their laptop to authenticate with their fingerprint or Windows pin. This is because EC laptops currently in the WELCOME domain have the possibility to be used as trusted platform in the context of MFA, allowing it to be used as another factor to authenticate your accounts. You can set up your fingerprint or Windows pin by clicking the Windows button on your keyboard, go to settings and search for ‘sign-in options’.

• For colleagues who are not in WELCOME yet, such as the teams present in ISPRA, and for those who do not wish to use their phones to authenticate, the next most secure option is to authenticate with the eID card.
• Both the eID and the Windows pin or fingerprint must also be added to your EU Login account. To do so login into EU Login here and click on your name in the top right corner. From the menu, choose ‘My account’. On the screen you will find options to ‘Manage my Security Keys and Trusted Platforms’ (here you can add your Windows pin or fingerprint to use for authentication) and ‘Manage my eIDs’ where you can add the eID you would like to use. Once you have added these to your EU Login account, you will be able to choose them from the list when you need to authenticate the next time you log in.

• Another important feature of MFA is ‘adaptive authentication’. This improves your user experience by ensuring that you only need to authenticate once to multiple systems based on your working style and location. Laurent Cassuto PMO.6 confirmed that this is an extremely useful feature. When he switches between JIRA and JSIS Online, his EU Login only requires that he authenticate once as it has adapted to his working habits of using both systems.

What can you do now to ensure you have the most secure methods of authenticating your Commission accounts?  

1. Firstly, if you have the possibility, ensure that you migrate to WELCOME. This will allow you to use your Commission laptop as a factor of authenticating. Follow the steps in our article here to complete the migration and consult the FAQs. 
2. Read this guide and watch this video which explains in detail each method of authenticating and how to set them up. 
3. If you are facing issues with MFA, make sure to contact My IT Support by filling in a form online or calling 77777 (Ispra 9774). 

Stay tuned! 

PMO.6 is there for you! In the coming weeks, a dedicated online space will be created which gathers all the information you need to guide you through the best method of authentication that meets your needs. There will also be a dedicated, hands-on course organised where you will have the opportunity to see step-by-step how to set up the different methods and to discuss any specific issue you are facing with MFA with a colleague from PMO.6. 

In conclusion, the importance of protecting the personal data and IT systems managed by the PMO was evidently shown during the session with the implementation of MFA as a crucial step in achieving this goal. You can find the links to the recording, slides and the polls below!  

Thank you for learning with us! If you have a topic to propose for Knowledge Hour, submit it here. 

Knowledge Hour MFA recording 

MFA Presentation 

MFA Poll results