Craigieburn Primary School

Using Multi-factor Authentication (MFA) when travelling overseas

Before you travel overseas, if you are taking your laptop with the expectation that you will be accessing Department resources, you need to do some planning based on your destination before you leave.

The issue boils down to the following key points:

• You have to use MFA to authenticate prior to making any changes to your MFA settings
• Most methods of MFA for authentication requires access to a mobile phone or landline
• You are only permitted to define a few MFA methods
• You may be travelling to a country where you cannot get a plan for your Australian mobile phone.
• You won't have access to your office phone via Skype when overseas, as you must authenticate using MFA prior to using Skype.
• You won't have access to your home phone number when overseas.

Essentially, this means that on arrival in your overseas destination, you may not be able to authenticate through MFA to gain access to Department resources, if you have not defined methods appropriate for your overseas travel.

This will be the case, even if you purchase a local mobile phone, as you may not be able to set it up as an MFA authentication method as you cannot authenticate, as none of the methods you have defined will work while you are in country.

For example, if you have only set up authentication via text to your Australian mobile, and have not defined any other methods, you will not be able to authenticate by text if you cannot source a mobile network plan for your phone.

This leaves you in a difficult situation, as you cannot use MFA to authenticate, nor can you change your MFA setup as this requires you to authenticate with MFA. In this instance you must call the Service Desk to resolve any MFA authentication issues.

MFA and non-NBN satellite internet service providers

Please note that if you are using a non-NBN satellite internet service provider such as Starlink to access the internet, you are classified as being overseas, even if your physical location is within the Commonwealth of Australia or its territories. Note that you may be unaware if you fall into this category when connecting via a wi-fi service provided at commercial premises such as a hotel, cafe or other business.

Therefore, when using MFA with your Department user id when using a non-NBN satellite internet service provider, you will be subject to all the limitations noted in this article as though you were travelling overseas.

How do I avoid not being able to authenticate when travelling overseas?

Essentially, before you leave, you must make sure that you have set up MFA methods appropriate for your travel plans before you leave Australia.

As a minimum, we recommend doing the following:

• Setting up Microsoft Authenticator as an MFA method on your Australian iPhone, iPad or Android phone before you travel.
• Taking your Australian iPhone, iPad or Android phone with you when travelling overseas.
• Using a verification code generated by Microsoft Authenticator when overseas.

This should allow you to authenticate - providing you have access to the internet - if you are overseas, even if you cannot obtain a mobile plan for your Australian phone in country. The image below shows all the different ways you can authenticate via MFA - providing you have set up all the available methods.

You can find out more about setting up MFA and using Azure AD MFA for authentication by reading the relevant knowledge articles.

Using a verification code to authenticate overseas

If you have installed Microsoft Authenticator on your iPhone, iPad or Android phone and set it up to use with your Department credentials, you can use its ability to generate a 6-digit one time passcode independently of any access to a local mobile phone network or the internet - just like hardware-based tokens like YubiKeys or RSA tokens.

This means that this method of authentication - shown in the image above as use a verification code from my mobile app - will function in any country, regardless of the settings of any national firewalls.

Microsoft Authenticator for Android use in China

Please note that Microsoft Authenticator for Android functionality is reduced when used in the People's Republic of China. For more information, read the Microsoft Support article Authenticator for Android in the public cloud in China.

Additional Information

If you have any questions regarding the content of this knowledge article, please log an Enquiry with the Service Desk, or call:

• Corporate - (03) 9637 3333
• Schools - 1800 641 943

If you have any suggestions as to how to improve this knowledge article, please use the comment section below to give feedback.