Cybersecurity @Melbourne

Information and support for University Staff and Students

The things that make the University of Melbourne such an attractive place to study and work also make us a target for cybercrime. Our world-leading research, valuable intellectual property and the many personal and financial details the University holds make both individuals and the institution vulnerable to the impacts of cyberthreats.

Our Approach to Cybersecurity

The University is working to continuously evolve our cybersecurity capabilities to prevent, detect, disrupt and respond to existing and emerging cyberthreats. As a key centre for innovation within our community, the University pushes the boundaries of conventional use of technology but we do so with a focus on protecting our systems and information.

A cybersecure University of Melbourne is one where we’ve reduced our vulnerability to cyberthreats while balancing our need for openness, autonomy and collaboration. A risk-based approach to cybersecurity means we can better meet these needs while still managing our exposure to cybersecurity risk.

Multifactor Authentication (MFA)

Multifactor Authentication (MFA) is an additional security step to verify your identity when you login to key University applications. This extra layer of security protects your user account from unauthorised access.

How Multifactor Authentication works

3 step image demonstrating MFA verification on a mobile device

When you'll be prompted to verify
MFA may prompt you at any time to confirm it’s really you logging in:
- The first time you login to a browser that you have not logged into before
- The first time you access your applications from a device that you have not logged into before
- Any time you login from a country that is different to the country of your last login
Security benefits of MFA
MFA helps protect accounts by adding an additional verification step to confirm the identity of users so that even if a cyber-criminal knows an individual’s password, the added layer will stop them accessing user accounts and key information such as:
- Your name
- Your address
- Bank Details
- Medical Records
- Your work and files

Your MFA options

	Okta Verify app (Primary factor for staff and students)	Google Authenticator app (Recommended backup factor)
What's required?	Okta Verify app downloaded to smartphone or tablet	Google Authenticator app downloaded to smartphone or tablet
How it works	User accepts a push notification sent in the app or User types in a six-digit verification code generated by the app when offline	User types in a six-digit verification code generated by the app
Supports push notifications	Yes	No
Mobile device compatible	Yes - iOS 11.0 compatible device - Android version 6.0+ - Windows Phone version 8.0+	Yes - Android version 2.3.3+ - iOS version 7.0+
Available offline	Yes	Yes
Works with VPN	Yes	Yes
Can be installed on more than one smart device	No The University recommends using Google Authenticator as a backup factor	Yes

Ready to Enrol?

Visit the Enrolling for MFA page using the button below to quickly and easily enrol your smartphone for MFA.

Visit the Enrolling for MFA page

Lightbulb icon prompting users to think ahead when considering MFA

Airplane icon prompting users to enrol in advance of travelling overseas

Smartphone icon prompting users to set up a backup authentication factor

Staff Support

Chat with a Service Centre agent

+61 3 834 40888
(7:30am - 7:30pm weekdays)

Staff Cybersecurity Website

Enrolling for MFA

Here you will find out how to quickly and easily enrol for Multifactor Authentication.

At the University of Melbourne, your online security is important to us. To help protect your information we use multifactor authentication (MFA), which requires both a password and secondary means (factor) to verify your identity, in order to login to University applications. Please refer to the information below to set up multi-factor authentication (MFA) on your smartphone.

Why is Multifactor Authentication important?

Image showing Student, Staff and Academic avatars.

You will need:

Internet access on a web browser.
A compatible smartphone with data connection.
Compatible Smartphone or Tablet Operating Systems
- iOS 11.0 compatible device
- Android version 6.0+
- Windows Phone version 8.0+

Enrol for MFA

MFA Enrolment Quick Reference Guides

For more information on Multifactor Authentication, please select any of the previews or links below to download a useful visual step-by-step guide:

Getting Started with MFA	How to Enrol for MFA	How to Login after Enrolment	How to Reset your Okta Enrolment
How to Setup Google Authenticator	How to use MFA Overseas	How to Login to Microsoft Apps	How to Enrol for MFA in China

MFA Enrolment Video Guides

Apple Devices

Android Devices

First Time Log In

MFA Support

Have a question or need help?

Visit the MFA Support & FAQ page for frequently asked questions and additional support:

Visit the MFA Support & FAQ page

Lightbulb icon prompting users to think ahead when considering MFA

Airplane icon prompting users to enrol in advance of travelling overseas

Smartphone icon prompting users to set up a backup authentication factor

Staff Support

Chat with a Service Centre agent

+61 3 834 40888
(7:30am - 7:30pm weekdays)

Staff Cybersecurity Website

MFA Support & FAQ

Here you will find frequently asked questions and advice for configuring and managing Multifactor Authentication for your user profile.

Enrolling for MFA - Frequently Asked Questions

Where can I download the Okta Verify app?

You can download Okta Verify to your smartphone by visiting the Google store (Android), Apple store (iPhone) and the Microsoft store (Windows).
Once you have installed the app on your smartphone, please watch our device enrolment video guides or visit the Enrolling for MFA page to complete MFA enrolment.
My smartphone can’t run the Okta Verify app.

If you do not own a compatible smartphone, please contact the Service Centre (Staff) for assistance.
I don’t have a smartphone.

If you do not own a smartphone, please contact the Service Centre (Staff) for assistance.
I don’t want to download the Okta Verify app on my smartphone.
I am concerned about my privacy:
- The Okta Verify App is a third-party application supplied by Okta, our technology partner that is assisting the University to implement MFA at the University of Melbourne.
- The app has passed through the App Store vetting processes to be available for download
- The University has no access to the app on your phone and cannot view any of the data on your phone, other apps installed, monitor calls or track your location
- The app requires internet for push notifications but can also operate offline via the rolling 6-digit code that updates every 30 seconds
- The app does not require you to link it to a particular phone number
- You can use Google Authenticator as an alternative if you continue to have concerns
I am concerned about using my personal smartphone:
- The University encourages all staff and students to use their personal device for this purpose
- Providing a University-issued device to each user is not possible due to the high cost
- Individual requests for a device will continue to be managed through standard University delegations and procurement processes
- The security provided by MFA greatly enhances the protection of not just University information but also your personal information
- The use of MFA is a requirement for ongoing access to University services
I am concerned about the performance impact on my smartphone:
- The app uses minimal resources on your phone
- The app prompts you only when Okta needs you to verify your current log in through the app
- The app can operate offline via the rolling 6-digit code that updates every 30 seconds, this option uses no internet data
- You can use Google Authenticator as an alternative if you continue to have concerns
The University encourages all staff and students to use their mobile phone for MFA. The security provided by MFA enhances the protection of both your University and personal information.
My location blocks access to the Google Play store. What should I do?
You can manually download and install Okta Verify on your Android smartphone by following these steps:
1. On your preferred web browser, go to sso.unimelb.edu.au and login with your University username and password.
2. Select the Setup button for Okta Verify in the 'Setup Multifactor Authentication' area. Then select your device type.
3. Manually download and install Okta Verify to your smartphone.
  Download link: go.unimelb.edu.au/aw9r
4. On the Setup Okta Verify screen on your web browser, select the 'Can't Scan?' option. Then, from the dropdown menu, select 'Setup manually without push notification'.
5. Open the Okta Verify application on your Android device and select Add Account. Then select the 'No Barcode?' option at the bottom of the screen.
6. Enter your username and the Secret Key displayed on your web browser. Then select Add Account.
7. Select Next on your web browser, then enter the 6-digit code associated with your University account displayed on the Okta Verify application on your Android mobile device. Then select Verify.
8. Congratulations! Your account is now registered with Okta Verify. You can now authenticate via the 6-digit codes generated on the Okta Verify application on your Android smartphone.
Can I use Okta Verify on more than one device?

Okta Verify app can only be enroled on one device, however The University recommends using Google Authenticator as a backup authentication factor.
Google Authenticator can be installed on multiple devices.
What are the minimum requirements for installing Okta Verify on my smartphone?
Check that your smartphone meets the following requirements:
- iOS 11.0 compatible device
- Android version 6.0+
- Windows Phone version 8.0+
If you continue to have difficulties, please contact the Service Centre (Staff) for assistance.
I can’t find Okta Verify in my app store.
Please check your smartphone compatibility and ensure your device operating system is up to date:
- iOS 11.0 compatible device
- Android version 6.0+
- Windows Phone version 8.0+
Direct links to app stores: Google store (Android), Apple store (iPhone), Microsoft store (Windows).
If you continue to have difficulties, please contact the Service Centre for assistance.
When will I be prompted by Okta Verify?
Whenever you log into a new device, you’ll receive a prompt notification from your Okta Verify app to ensure it really is you logging in. If you receive a notification for activity that you don’t recognise, you should contact the Service Centre immediately.
You could be prompted to verify at different times, so make sure you keep your mobile with you.
Some examples of when you’ll need to authenticate:
- The first time you login from a browser that you have not logged into before
- The first time you access your applications from a computer that you have not logged into before
- Any time you login from a country that is different to the country of your last login
How can I authenticate using Okta Verify?
- Push Notification –You will be required to verify your identity by accepting ‘Yes, it’s me’ prompt on your smartphone.
- 6 digit code (Offline mode) – Alternatively, you have an option to enter the 6 digit code to verify your identity.
If you require any further assistance, please contact the Service Centre.
What can I expect from the Okta Verify App?
A lightweight and secure application
The Okta Verify app is a lightweight application used to confirm a user’s identity when signing into a key University of Melbourne application. The app is developed by Okta, the University of Melbourne’s technology partner for multifactor authentication (MFA).
Okta Verify provides an additional security step to verify your identity when you login to key University applications. This extra layer of security protects your user account from unauthorised access.
Setting up Okta Verify
The Okta Verify app needs to be downloaded and set up on a compatible smartphone by following a guided process. Once the setup process has completed, the Okta Verify app will display a rolling 6-digit code on your smartphone. At this point you can simply close the app. The use of this code is explained in the next section. You will also receive two emails from Okta confirming your successful enrolment.
Two ways to verify your identity
1. Push Notification: When prompted to verify, simply select ‘Yes, it’s me’ on your enrolled smartphone. This requires internet access.
2. 6-digit code: Sign into a University application in the normal way and select the ‘or enter code’ option on the Okta Verify prompt screen. Now, open the Okta Verify app on your enrolled device and type the 6-digit code provided into the Okta prompt screen on your web browser, then select ‘Verify’.
The 6-digit code is generated using the industry standard Time-Based One-Time Password Algorithm and is used to authenticate when internet access is unavailable.
Privacy
Okta Verify has passed all required vetting both by the App Store and the University. Okta Verify does not store any personal information – it only requires permission to use your device camera to scan a QR code to register your device with Okta.
For more information, please read the Privacy Collection Notice.

Using MFA - Frequently Asked Questions

Why is MFA required?

Students
Criminals could steal personal information such as passwords, bank details and date of birth. They could also conduct malicious activities, like unenrolling students from courses and stealing money from bank accounts.
MFA helps keep your personal information and identity protected.
Staff
Professional staff are often targeted by phishing campaigns in order to obtain user credentials for accessing applications that contain sensitive University and Staff information.
MFA helps to protect staff and University data from phishing campaigns.
Academics
Our research and intellectual property is extremely valuable and cyber criminals have an active interest in stealing or disrupting that research.
MFA helps to protect academics and the important work that they do.
Can I use Google Authenticator instead?

Yes, however we recommend that you use Okta Verify as your primary authentication factor as you will receive push notifications when verifying your identity.
Once you have enrolled with the Okta Verify app, Google Authenticator will become available to configure as a recommended backup authentication factor.
If you wish to use Google as a primary multifactor authenticator, please contact the Service Centre (Staff) for assistance.
What happens if I delete Okta Verify from my smartphone?

You can use your backup factor, such as Google Authenticator, to enable you to log back in and reset Okta Verify.
If you do not have a backup factor, please contact the Service Centre (Staff) for assistance.
What happens if I get a new smartphone?
You can transfer multifactor authentication from your previous smartphone to a new one.
You will need:
- Your old smartphone
- Your new smartphone
- A computer
1. On the web browser of your computer, go to sso.unimelb.edu.au, enter your login credentials and click on the 'Send Push' button.
2. You will receive a push notification from Okta on your old smartphone. Select ‘Yes, it’s me’ on your old smartphone to verify your identity.
3. Once logged in to your account, select the dropdown menu for your account username (located top-right), and select ‘Settings’.
4. Under the ‘Extra Verification’ section, select the ‘Remove’ button adjacent to ‘Okta Verify’. You’ll then be asked if you want to revoke your existing Okta Verify token. Click ‘Yes’ to continue.
5. You can now follow the steps provided in the How to Enrol for MFA guide to enrol your new smartphone.
How do I avoid being prompted by MFA when logging in from home?

When logging in from a new device or from home, on the Okta Verify user login screen, tick ‘Do not challenge me on this device for the next 90 days’.
Can I get temporary exclusion from Multifactor Authentication?

Multifactor Authentication is required for every University of Melbourne staff member and student.
Temporary exclusion from Multifactor Authentication can only be granted if you temporarily do not have access to your enrolled device and cannot access University applications.
To request temporary exclusion from Multifactor Authentication, please contact the Service Centre (Staff).
Okta push notifications and verification codes aren’t working for me?
The most common reason for Okta push notifications and verification codes failing is a mismatch of the time and date settings on your phone and actual location. Please make sure the time and date settings on your enrolled device match those of your current location.

If you are using an Android mobile device, please enable the 'Automatic date and time update' feature in your Settings.
On your enrolled device, you can also check the following:
- Push Notifications have been enabled in the Okta Verify app
- Your device operating system is up to date and meets the minimum requirements to support Okta Verify
Please check the above and try again.
For further assistance, please contact the Service Centre (Staff).
How do I reset my Multifactor Authentication factor(s)?

If you have access to your enrolled device and need to reset your Okta enrolment, please follow the steps provided in the How to Reset Your Okta Enrolment guide.
The University recommends using Google Authenticator as a backup factor.
If Okta Verify has been deleted and you are unable to reset your factor manually, please visit sso.unimelb.edu.au and authenticate via your backup factor.
If you have trouble resetting any factor, please contact the Service Centre (Staff) for assistance.
I currently don’t have access to my enrolled factor. What should I do?

If you do not have access to your enrolled device and cannot access University applications, please contact the Service Centre (Staff) for assistance.
What if I can’t have my enrolled device with me?

If you work or study in a restricted environment where mobile devices are not allowed, such as University physical containment rooms or science labs, please contact the Service Centre (Staff) for assistance.
I think my University account may have been compromised. What should I do?

If you encounter suspicious activity on your University account, please immediately contact the Service Centre (Staff) for assistance:
Service Centre - Staff
+61 834 40888
(7:30am - 7:30pm weekdays)
I can’t access University mailbox on my iPhone native mail Application. What should I do?

To access emails on your enrolled iOS 10 or lower device, please go to https://outlook.office.com/mail/inbox on your preferred mobile web browser such as Safari or Chrome or upgrade your device to a newer model that is supported by Apple
To access emails on your enrolled iOS 11 or iOS 12 device, please delete and re-add your email account on your phone (steps provided in the Changes to Office 365 app use on Apple Devices guide) or go to https://outlook.office.com/mail/inbox on your preferred mobile web browser such as Safari or Chrome.
For further assistance, please contact the Service Centre (Staff).

International MFA Access - Frequently Asked Questions

I will be travelling overseas soon. What should I do before I leave?

Please pre-enrol your device on Okta Verify before travelling to avoid University of Melbourne application access issues.
You will be prompted to verify while overseas, so please keep your device handy at all times to avoid delays.
Can I use Okta Verify without international data / roaming data?

Yes. You can still verify your identity via access code-based authentication with the Okta Verify app.
If you have internet access on your phone, including through Wi-Fi, you’ll continue to receive Okta push notifications as normal.
Do I need a SIM card with mobile data?

You only need internet access on your smartphone to receive Okta push notifications.
If you have mobile data, Okta will use your data for push notifications. If not, you can use the access-code based authentication.
Please pre-enrol your device on Okta Verify before travelling to avoid University of Melbourne application access issues.
Can I enrol from overseas?
Yes. Simply follow the normal enrolment process and scan the Okta QR code on your smartphone when presented.
When enrolling from other countries:
- Ensure that your mobile device has internet access
- If enrolling with a laptop or desktop device, scan the QR code as usual
If enrolling directly with a mobile device (without a laptop or desktop), you will have the following options:
- Send activation link via SMS
- Send activation link via email
- Setup manually without push notification
The University recommends that you use the "Send activation link via email".
SMS links may not be delivered or may result in roaming fees (depending on your mobile plan).
Setting up manually is not recommended - you will need to enrol again to start receiving push notifications.
How do I setup MFA from China?
Due to the restrictions on Google services in China, you won't be able to download and install applications such as Okta Verify or Google Authenticator from the Google Play Store on Android devices.
You can manually download and install Okta Verify on your Android smartphone by following these steps:
1. On your preferred web browser, go to sso.unimelb.edu.au and login with your University username and password.
2. Select the Setup button for Okta Verify in the 'Setup Multifactor Authentication' area. Then select your device type.
3. Manually download and install Okta Verify to your smartphone.
  Download link: go.unimelb.edu.au/aw9r
4. On the Setup Okta Verify screen on your web browser, select the 'Can't Scan?' option. Then, from the dropdown menu, select 'Setup manually without push notification'.
5. Open the Okta Verify application on your Android device and select Add Account. Then select the 'No Barcode?' option at the bottom of the screen.
6. Enter your username and the Secret Key displayed on your web browser. Then select Add Account.
7. Select Next on your web browser, then enter the 6-digit code associated with your University account displayed on the Okta Verify application on your Android mobile device. Then select Verify.
8. Congratulations! Your account is now registered with Okta Verify. You can now authenticate via the 6-digit codes generated on the Okta Verify application on your Android smartphone.

Lightbulb icon prompting users to think ahead when considering MFA

Airplane icon prompting users to enrol in advance of travelling overseas

Smartphone icon prompting users to set up a backup authentication factor

Staff Support

Chat with a Service Centre agent

+61 3 834 40888
(7:30am - 7:30pm weekdays)

Staff Cybersecurity Website

Privacy Collection Notice

The collection of personal information by the University of Melbourne (University) is governed by the Privacy and Data Protection Act 2014 (Vic) and Health Records Act 2001 (Vic) (together, Privacy Laws). The University is also considered to be a data controller for the purposes of the EU General Data Protection Regulation 2016/679 (GDPR)regarding the collection of personal information from individuals located in the EU, when conducting certain activities. The University is committed to protecting your privacy and processing your personal information fairly and lawfully in compliance with the Privacy Laws and the GDPR, as applicable.

The information you provide will be collected by the University for the legitimate interest of administering your University IT access. The University is using third-party service provider, Okta, to assist in administering multi-factor authentication. Okta has established a privacy policy to help users understand how Okta collects and uses personal information. Please refer to Okta’s Privacy Policy for details: https://www.okta.com/privacy-policy/.

The information may also be used by the University or Okta for analysis, quality assurance and planning purposes. We may be unable to provide you with IT access if you do not provide the personal information requested. The provision of your biometric data is voluntary and based on your consent.

The information you provide will be used by authorised staff for the purpose for which it was collected. It will not be transferred outside Australia unless to an entity operating under substantially similar privacy obligations. We will not disclose your personal information to anybody else without your consent, unless we are authorised or required to do so by law. We take all reasonable steps to ensure that the information we hold is accurate and complete, and that appropriate technical and organisational security measures are in place and maintained to protect personal information that is transmitted, stored or otherwise processed, from accidental or unlawful destruction, misuse, loss, alteration, unauthorised access or disclosure.

We will only retain your personal information for as long as required for the purpose for which it was collected and in accordance with our legislative obligations. This information will then be securely destroyed in accordance with the University’s retention and disposal authority.

You may also request access to, or correction of your personal information held by the University, or exercise data subject rights under the GDPR or withdrawal of your consent if applicable. To do so, students may contact 13 MELB (13 6352) or Staff can log a request with Staff Services https://unimelb.service-now.com/sp.

For further information about how the University manages personal information, to make an enquiry or complaint, or for contact details of the University’s Privacy and Data Protection Officer, please view the University’s Privacy Policy, visit our Privacy Webpage, or contact the University’s Privacy Office at privacy-officer@unimelb.edu.au.

For students, any issues regarding system access or queries prior to completing online forms should be directed to 13 MELB (13 6352) or Stop 1 https://students.unimelb.edu.au/stop1.

For staff, any issues regarding system access should be directed to the University of Melbourne Service Centre on (03) 8344 0888. If you have any queries about this application prior to completing your online form please contact your supervisor or their nominated administrator.

Reporting of Cybersecurity Issues

Currently the University of Melbourne has no formal Bug Bounty program, however we appreciate the responsible reporting of cybersecurity issues to us for investigation.

The University of Melbourne would like to acknowledge the following security researchers for responsible reporting of vulnerabilities that have helped keep our networks and systems secure.

Security Researcher
Pranav Gajjar
Vraj Shah

Report a Cybersecurity issue

Please report any cybersecurity issues directly to the Cybersecurity team:

it-security@unimelb.edu.au

Our Approach to Cybersecurity

Multifactor Authentication (MFA)

How Multifactor Authentication works

Your MFA options

Ready to Enrol?

Staff Support

Enrolling for MFA

Why is Multifactor Authentication important?

You will need:

Compatible Smartphone or Tablet Operating Systems

MFA Enrolment Quick Reference Guides

MFA Enrolment Video Guides

Apple Devices

Android Devices

First Time Log In

MFA Support

Staff Support

MFA Support & FAQ

Enrolling for MFA - Frequently Asked Questions

I am concerned about my privacy:

I am concerned about using my personal smartphone:

I am concerned about the performance impact on my smartphone:

Using MFA - Frequently Asked Questions

Students

Staff

Academics

Service Centre - Staff

International MFA Access - Frequently Asked Questions

Staff Support

Privacy Collection Notice

Reporting of Cybersecurity Issues

Report a Cybersecurity issue