Multi-Factor Authentication
MUNI Unified Login offers not only password-based authentication, but also more secure authentication through Multi-Factor Authentication (MFA). This feature makes it more difficult for potential attackers to misuse your account, because once activated, you will need to use an additional verification method, such as an authentication code, in addition to your password. In practice, this means that each time you log in from a new device, you must have your registered device at hand to enter the authentication code or confirm the use of a security key.
If you want to set up Multi-Factor Authentication in MUNI Unified Login, read the introductory information on this page and follow the individual guides linked below. You can also read a detailed introduction to Multi-Factor Authentication and phishing.
The Multi-Factor Authentication described on this page only applies to services that use Unified MUNI Login. To enable Multi-Factor Authentication for login to the MU Information System, you must enable it directly in the Information System by following this guide.
How to Set Up Multi-Factor Authentication
1
Set up verification codes authentication.
At Masaryk University, the first neccessary step is to set up the TOTP verification codes authentication method. This process also includes generating backup codes to restore access in case all registered devices are lost. We strongly recommend securely storing or printing these codes, as losing them could result in losing access to your account.
2
Select for which services Multi-Factor Authentication should be required.
After the initial setup of Multi-Factor Authentication, it will automatically be required for logging into all IT services under Unified MUNI Login. However, this setting can be adjusted to select which specific services should require it.
3
Optional: add additional verification methods.
Multi-Factor Authentication is now fully set up, but if you wish, you can freely add another verification codes application, verification through security keys, or generate new backup codes. Detailed descriptions of each method can be found below.
Applications for Time-based One-Time Passwords (TOTP)
TOTP applications generate six-digit numeric codes based on the current time, which serve as a second factor in proving access to the authentication device during login. Multi-Factor Authentication (MFA) in Unified MUNI Login requires settting up this method on at least one device.
If you are already using this type of login for other services, you can use your existing application. If you do not have one, you can use, for example, Aegis Authenticator for Android or Raivo OTP for iOS.
Security keys (WebAuthn)
Web Authentication (WebAuthn) is based on the use of a public and private key pair, where the website generates this pair during registration. The public key is stored on the service's server, while the private key is kept in the user's registered device (such as a smartphone or PC).
When logging into the website, the user simply needs to scan a QR code from the website using their registered device and confirm the login on their device. The advantage of logging in via the WebAuthn method is that the generated key pair (public and private) is always valid only for the source website, which eliminates potential phishing problems and duplicated pages requiring a code (from TOTP applications or backup).
Backup codes
Generating a list of backup codes is primarily intended as a backup in case you lose access to your device with timed codes or a security key. It is not intended for regular logins, as all backup codes are single-use, and once depleted, you will not be able to log in.
We strongly recommend securely storing or printing the list of backup codes.
What to Do If You Lose Your Multi-Factor Authentication Device
When Multi-Factor Authentication is first set up, backup codes are generated for cases where access to the authentication device is lost, such as in case of a malfunction or loss of a phone. In such a situation, simply enter one of the backup codes during login and register a new token in the token management interface at mfa.id.muni.cz.
If you do not have any registered device with verification codes, security keys, or backup codes available, contact IT MUNI user support. If you are unable to log in to the service support portal to report the issue, send an email to it@muni.cz with the following information: the UČO you are logging in with; the service you are logging into (web link); the time of the login issue; the error message you received; and the version of your browser and operating system.
Instructions
- How to Initially Set up Multi-Factor Authentication
- Setting up Authentication with Verification Codes (both first and additional apps or devices)
- How to Generate Back up Codes
- Adding a Security Key
- How to Enable (or Disable) MFA for Selected Services
- How to Deactivate MFA
- Which Authentication Methods are Best for me?
Multi-Factor Authentication Settings
Redirects you to the Token Management Interface.
Access Settings for MUNI Services
Follow the instructions linked below on this page.
If you are unable to sign in to the service support portal, send an e-mail to it@muni.cz with the following information:
- which UČO you are signing in with,
- which service you are signing in to (web link),
- time when the problem occurred,
- the error message you received,
- the version of your browser and operating system.