Multi-Factor Authentication

Authentication is the process used to verify a person’s identity. In IT systems, this typically involves verifying a user through a username and password entered when logging in to a particular system.

Multi-factor authentication (MFA) is a security process that requires two or more independent factors to verify a user’s identity. In addition to entering a username and password, users must confirm their identity in another way (for example, by entering a one-time code from a mobile app or SMS message, or by using biometric data such as a fingerprint or facial recognition).

Multi-factor authentication may also be referred to by other terms, such as multi-step verification or two-factor authentication (2FA).

Why MFA is important

Improved security: It makes it more difficult for unauthorised individuals to access online user accounts, even if they know the password.
Protection of sensitive data: It reduces the risk of identity theft and data breaches involving information stored in online accounts such as internet banking, email accounts, or social media platforms.

How MFA works

MFA usually combines something the user knows (such as a password or PIN), something the user has (such as a code from a mobile app, SMS message, or hardware key), or something the user is (biometric data). This provides stronger protection against unauthorised access because an attacker would need to obtain two separate authentication factors in order to log in.

First factor (knowledge): The user enters their usual username and password.
Second factor (possession or biometrics): After successfully entering the first factor, the system requests a second verification method. This may include:

- Code from an SMS message or app: A one-time password (OTP) sent to a registered mobile phone or generated in a mobile application (such as Microsoft Authenticator or Google Authenticator).
- Hardware key: A physical USB key, smart card, or similar device connected to a computer for verification.
- Biometric verification: A fingerprint, facial recognition, or another biometric characteristic.

How a one-time OTP code works

An OTP code (One-Time Password) is a temporary security code used to verify a user’s identity for a single login session or transaction. Unlike standard passwords, an OTP code is valid only for a short period of time (typically 30–60 seconds) and can only be used once. After it has been used, it immediately becomes invalid and cannot be reused for another login attempt. This significantly improves security and reduces the risk of misuse. OTP codes may be sent via SMS or email, or generated by an authentication app.

Authenticator apps

An authenticator app is a dedicated verification application that must be installed on a device (typically a smartphone or tablet) and is used to generate OTP codes. Popular and recommended apps include Microsoft Authenticator and Google Authenticator, or other apps. The main advantages of these apps are that they are independent of a phone number, so users do not need to provide one, generate one-time codes even without an internet connection (Wi-Fi) or mobile signal, only require the device’s time settings to be correctly synchronised. User accounts can be added to an authenticator app simply by scanning the relevant QR code.

Setting up MFA

Install an authenticator app for generating OTP codes on your smartphone. These apps are available free of charge on Google Play or the App Store. If you already have an authenticator app installed, you can skip this step.
Add your user account to the authenticator app by scanning the relevant QR code using your phone’s camera. Each user is assigned a unique QR code containing a unique key used to generate OTP codes.
A new account will then appear in the authenticator app. A new six-digit OTP code will be generated every 30 seconds, which you will use as your second authentication factor.

TBU users will add their account to the authenticator app during the activation process for their TBU user account, when the relevant QR code will be displayed. Before activating your user account, you must already have an authenticator app installed on your mobile phone. Setting up MFA is required in order to complete the user account activation process successfully.

Virtual tour

Cookie	Duration	Description
cookielawinfo-checkbox-advertisement	1 year	Set by the GDPR Cookie Consent plugin, this cookie is used to record the user consent for the cookies in the "Advertisement" category .
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
mdocs-f23d4887cc59eaf5d74998a5389151af	session	This cookie is associated with the site's document system and is used to store information needed to manage and display documents.
PHPSESSID	session	This cookie is native to PHP applications. The cookie is used to store and identify a users' unique session ID for the purpose of managing user session on the website. The cookie is a session cookies and is deleted when all the browser windows are closed.
pll_language	1 year	The pll _language cookie is used by Polylang to remember the language selected by the user when returning to the website, and also to get the language information when not available in another way.
qtrans_front_language	1 year	This cookie is set by qTranslate WordPress plugin. The cookie is used to manage the preferred language of the visitor.
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Cookie	Duration	Description
_ga	2 years	The _ga cookie, installed by Google Analytics, calculates visitor, session and campaign data and also keeps track of site usage for the site's analytics report. The cookie stores information anonymously and assigns a randomly generated number to recognize unique visitors.
_ga_1HP1PTTJR4	2 years	The _ga_1HP1PTTJR4 cookie, installed by Google Analytics, calculates visitor, session and campaign data and also keeps track of site usage for the site's analytics report. The cookie stores information anonymously and assigns a randomly generated number to recognize unique visitors.
_gat	1 minute	Google Universal Analytics sets this cookie to restrain request rate and thus limit data collection on high-traffic sites.
_gcl_au	3 months	Provided by Google Tag Manager to experiment advertisement efficiency of websites using their services.
_gid	1 day	Installed by Google Analytics, _gid cookie stores information on how visitors use a website, while also creating an analytics report of the website's performance. Some of the data that are collected include the number of visitors, their source, and the pages they visit anonymously.
CONSENT	2 years	YouTube sets this cookie via embedded youtube-videos and registers anonymous statistical data.
sid	1 month	The sid cookie contains digitally signed and encrypted records of a user’s Google account ID and most recent sign-in time.
vuid	2 years	Vimeo installs this cookie to collect tracking information by setting a unique ID to embed videos to the website.

Cookie	Duration	Description
_fbp	3 months	This cookie is set by Facebook to display advertisements when either on Facebook or on a digital platform powered by Facebook advertising, after visiting the website.
fr	3 months	Facebook sets this cookie to show relevant advertisements to users by tracking user behaviour across the web, on sites that have Facebook pixel or Facebook social plugin.
IDE	13 months	Google DoubleClick IDE cookies are used to store information about how the user uses the website to present them with relevant ads and according to the user profile.
MUID	13 months	This cookie is set by Microsoft to recognise unique web browsers that visit its websites. It is used for personalised advertising, web analytics and other operations.
NID	6 months	NID cookie, set by Google, is used for advertising purposes; to limit the number of times the user sees an ad, to mute unwanted ads, and to measure the effectiveness of ads.
test_cookie	15 minutes	The test_cookie is set by Google and is used to determine if the user's browser supports cookies.
VISITOR_INFO1_LIVE	6 months	A cookie set by YouTube to measure bandwidth that determines whether the user gets the new or old player interface.
YSC	session	YSC cookie is set by Youtube and is used to track the views of embedded videos on Youtube pages.
yt-remote-connected-devices	never	YouTube sets this cookie to store the video preferences of the user using embedded YouTube video.
yt-remote-device-id	never	YouTube sets this cookie to store the video preferences of the user using embedded YouTube video.
yt.innertube::nextId	never	This cookie, set by YouTube, registers a unique ID to store data on what videos from YouTube the user has seen.
yt.innertube::requests	never	This cookie, set by YouTube, registers a unique ID to store data on what videos from YouTube the user has seen.

Univerzita Tomáše Bati ve Zlíně