BU implements measures to protect its systems and data, including multi-factor authentication (MFA). This requires users to verify their identity using additional factors besides usernames and passwords. MFA has been implemented across most of the critical systems and external-facing services supported by IT Services .
We require all users (staff and students) to complete MFA registration and the password reset service (SSPR) which involves providing contact details (personal email and phone number) and security question answers. Users can also use the Microsoft Authenticator app by downloading it to their smartphone and entering the code when prompted.
BU recommends using the Authenticator App for a more seamless and efficient user experience.
Why are we doing this?
BU must protect its systems and data from increasing cyber-attacks, which can significantly impact both organisations and individuals. A cyber security breach could lead to personal information loss, user lockouts, and disruption of key operations. In a worst-case scenario, BU could lose access to core systems like Office 365, SITS, and Brightspace for an extended time. Many cyberattacks start with compromised email or system accounts and MFA and password resets are crucial in preventing such breaches.
BU introduced MFA within the organisation following industry and government guidance. MFA is already generally used to manage public access to services such as banking, and therefore widely accepted as an expected level of protection in many sectors. The Information Commissioner expects us to use available security measures, reinforcing that MFA is now a standard practice.
Authentication must by definition use some information which is personal to you or personally accessible only by you. Your provided data will be kept secure and used minimally in line with data protection regulations. Using the authentication app for MFA reduces the amount of personal contact information needed, while ensuring security. BU can provide guidance for staff on how to keep your personal devices secure.
This information is processed by BU to protect its systems and data, as per article 6.1(f) of the GDPR. This interest is not outweighed by the rights of staff and students, who would be negatively affected by a security breach. Alternatively, this processing may be necessary under article 6.1(c) of the GDPR for compliance with BU's legal obligations to ensure data integrity and confidentiality.
How is the personal information held by BU?
Your details will be securely stored in Microsoft 365 and used only for authentication. Access is limited to you (via your BU login) and a few privileged administrators, who will see your contact information but not your security answers. For questions or concerns about providing personal data, contact the BU Data Protection Officer at [email protected].