• English
  • Japanese

About keio.jp Multi-Factor Authentication (MFA)

Introduction

Multi-Factor Authentication (MFA) has been introduced in June 2022 for keio.jp account authentication, where a second factor is used for authentication.
Currently, the feature is only enabled for users who have opted in (those who have set it up), but it is planned to be implemented universally in the future (date undecided).
As of August 2024, MFA will not be enabled unless you complete the initial setup (authentication will remain as ID and password only, as before).

What is Multi-Factor Authentication (MFA)?

Multi-Factor Authentication (MFA) refers to authentication that combines two or more of the three authentication factors: "knowledge," "possession," and "biometrics."

"Knowledge" → Passwords, PIN codes, security questions, etc.
"Possession" → Mobile phones, hardware tokens, IC cards, etc.
"Biometrics" → Fingerprints, veins, voice patterns, irises, etc.

Setting a strong password is the first measure to protect your account. However, many users still set easily guessable passwords, and even if a strong password is set, if it is reused across multiple services, there is a risk of multiple accounts being compromised through password list attacks. As the number of accounts to manage continues to increase, the reliance on memory for password authentication is reaching its limits.

The main benefit of introducing MFA is that it significantly enhances security. In particular, elements like facial recognition and fingerprint recognition, which can only be presented by the user, and possession elements are difficult to copy or steal, making unauthorized access to accounts by third parties extremely difficult.

Please also check here for more details.

<Back to Page Top>

About Multi-Factor Authentication (MFA) at keio.jp

At keio.jp, the following options are available as the second factor in MFA:
It is recommended to set up multiple factors in case of emergency (e.g., TOTP on your smartphone and TOTP on your tablet, voice phone on your smartphone and TOTP, etc.).

TOTP (Time-based One Time Password)

  • You enter a six-digit number that changes every 30 seconds displayed on your computer or smartphone to authenticate. This six-digit number is unique to each user.
  • You need an environment that supports TOTP apps such as Okta Verify, Google Authenticator, or Microsoft Authenticator.

FIDO (Fast Identity Online)

  • Complies with the FIDO2 standard.
  • Authentication is performed using biometric information (such as fingerprints or facial recognition) or an authentication device (such as a USB key).
    • Biometric Authentication: Windows Hello, Face ID, Touch ID, etc.
      • Biometric information itself is not sent externally during authentication.
      • First, biometric authentication is performed on the device, and a private key is selected. A verification result signed with this private key is sent to the service. Finally, the service confirms the login by verifying the signature with the public key it holds.
      • Since only the verification result is sent and not the information stored on the device, even if the information is stolen, the user’s biometric information will not be compromised.
    • Authentication Devices: YubiKey, etc.
  • You need a biometric reader or authentication device on the terminal.

One-Time Password (SMS/Voice Call)

  • You receive a five or six-digit number via SMS or voice call that can be used only once within a certain period. Depending on the type of SMS or telephone contract, a charge may be incurred upon receipt.

<Back to Page Top>

When is Multi-Factor Authentication (MFA) required?

MFA applies to all keio.jp applications, except for authentication when connecting to Wi-Fi (keiomobile2, eduroam), where the keio.jp authentication screen appears.

The overview of MFA at keio.jp is as follows:

keiojp_mfa2_img_en1


<Back to Page Top>

About Initial Setup

To start using MFA, you must complete the initial setup.
As of August 2024, MFA will not be enabled unless you complete the initial setup (authentication will remain as ID and password only, as before).
The general flow of the process is as follows:

  1. Confirm the environment where MFA will be used and consider your usage plan
  2. Install the TOTP (Authenticator) app (if using TOTP authentication)
  3. Set up additional authentication factors
  4. Enable Multi-Factor Authentication

Please complete all steps from 1 to 4 for the initial setup.

[Initial Setup 1] Confirm the environment where MFA will be used and consider your usage plan

Consider your usage plan (authentication factors) according to your environment.
If you have a phone, it is recommended to set up one-time password authentication (SMS/voice call) (since you can still use it as an authentication factor even if you change your device, as long as you do not change your phone number).

  1. PC and Smartphone/Tablet (Android/iOS/iPadOS)
    • It is recommended to set up one-time password authentication (SMS/voice call) on your smartphone.
    • FIDO authentication and TOTP (Authenticator) apps are available on your smartphone.
    • On your PC, you can use TOTP displayed in a PC browser or FIDO authentication using a USB security key device. FIDO security keys need to be purchased separately.
  2. Smartphone/Tablet only (Android/iOS/iPadOS)
    • It is recommended to set up one-time password authentication (SMS/voice call) on your smartphone.
    • FIDO authentication and TOTP (Authenticator) apps are available on your smartphone or tablet.
  3. PC only (No smartphone, only feature phone/landline)
    • It is recommended to set up one-time password authentication (SMS/voice call) on your feature phone/landline.
    • FIDO authentication using a USB security key device is available. FIDO security keys need to be purchased separately.
    • Alternatively, you can use the TOTP display function of the PC browser.
  4. PC only (No phone at all)
    • You can use the TOTP display function of the PC browser.

<Back to Page Top>

[Initial Setup 2] Install the TOTP (Authenticator) app (if using TOTP authentication)

If the TOTP (Authenticator) app is already installed, this step is not necessary.
"Okta Verify," "Google Authenticator," and "Microsoft Authenticator" are available.

keiojp_mfa2_img05a
  1. Smartphone/Tablet (Android/iOS/iPadOS)
    1. Check that the clock on the smartphone/tablet you are setting up is accurate.
      TOTP calculations use time information. If the clock on your smartphone is incorrect, TOTP will not be calculated correctly, and you will not be able to log in. Adjust the clock on your smartphone/tablet manually or set it to automatic.
    2. Add the TOTP app "Authenticator" to your smartphone/tablet.
      For iPhone apps:
      For Android apps:
  2. PC Browser (if you do not have a smartphone/tablet)
    TOTP display function is available as a browser extension for Chrome, Firefox, Edge, etc.
    For more information, please refer to the following page:

<Back to Page Top>

[Initial Setup 3] Register Authentication Factors

If you are using a FIDO security device, please connect it at this time.
No special attention is needed for built-in devices.

  1. Access the MFA settings page and log in with your keio.jp account (ID, password).
  2. Click/Tap "Set Up" for the authentication factor you want to add.
    If you are asked for your password when clicking/tapping "Set Up," please enter it again.
    (If one or more authentication factors are already registered, the MFA screen will be displayed even if MFA is not yet enabled, so log in using the registered authentication method)
    keiojp_mfa2_img_en2
    1. If you select "Okta Verify"
      1. Confirm that "Okta Verify" (TOTP Authenticator app) is installed on your smartphone/tablet. If it is not properly installed, please complete the installation.
      2. Click/Tap "Set Up."
        keiojp_mfa2_img_en3
      3. Scan the displayed QR code with "Okta Verify" (TOTP Authenticator app).
        keiojp_mfa2_img_en111
      4. When the scan is successful, the screen will automatically transition, and the device will be registered.
        keiojp_mfa2_img_en6

    2. If you select "Security Key or Biometric Authenticator"
      1. Click/Tap "Set Up."
        keiojp_mfa2_img_en7
      2. Click/Tap "Set Up."
        keiojp_mfa2_img_en8
      3. Follow the instructions displayed to proceed with the registration. (Image shows an example of Face ID)
        keiojp_mfa2_img_en112
      4. When the registration is successful, the screen will automatically transition, and the device will be registered.
        keiojp_mfa2_img_en9

    3. If you select "Google Authenticator"
      If you are using "Microsoft Authenticator," please also select this.
      1. Confirm that "Google Authenticator" or "Microsoft Authenticator" (TOTP Authenticator app) is installed on your smartphone/tablet. If it is not properly installed, please complete the installation.
      2. Click/Tap "Set Up."
        keiojp_mfa2_img_en10
      3. Scan the displayed QR code with "Google Authenticator" or "Microsoft Authenticator" (TOTP Authenticator app), confirm that the TOTP code is correctly displayed in the app, and click/tap "Next."
        keiojp_mfa2_img_en11
      4. Enter the six-digit number (authentication code) displayed in "Google Authenticator" or "Microsoft Authenticator" (TOTP Authenticator app) and click/tap "Verify."
        keiojp_mfa2_img_en12
      5. When the registration is successful, the device will be registered.
        (Once registered, the label will change from "Set Up" to "Remove")
        keiojp_mfa2_img_en13

    4. If you select "Phone"
      1. Click/Tap "Set Up."
        keiojp_mfa2_img_en14
      2. If you are registering via SMS, select SMS, choose the country Japan, enter your phone number, and click/tap "Receive Code via SMS."
        If you are registering via a call, select Voice Call, choose the country Japan, enter your phone number, and click/tap "Receive Code via Call."
        keiojp_mfa2_img_en15
      3. Enter the verification code received via SMS or voice guidance and click/tap "Verify."
        keiojp_mfa2_img_en16
      4. When the registration is successful, the device will be registered.
        keiojp_mfa2_img_en17

<Back to Page Top>

[Initial Setup 4] Enable Multi-Factor Authentication (MFA)

  1. Access the MFA settings page and log in with your keio.jp account (ID, password).
  2. If the "Edit Profile" button is displayed, click/tap it.
    (Even if MFA is not enabled, the MFA screen will be displayed, so log in using the registered authentication method)
    If the "Edit Profile" button is not displayed, proceed to step 3.
    keiojp_mfa2_img_en18
  3. Click/Tap "Edit" in the personal information section.
    keiojp_mfa2_img_en19
  4. Change the multi-factor authentication section to "Enable" and click/tap "Save."
    keiojp_mfa2_img_en20

With this, MFA will be enabled for the corresponding account.

<Back to Page Top>

Login using Multi-Factor Authentication (MFA)

  1. Log in to the new authentication screen with your ID and password.
  2. The MFA screen will be displayed, so select the registered authentication method (in some cases, the screen for one of the registered methods will be displayed directly instead of the list screen).
    keiojp_mfa2_img_en21

A. Login using Google Authenticator

Launch "Google Authenticator" or "Microsoft Authenticator" (TOTP Authenticator app), enter the code (six digits) displayed, and click/tap "Verify" to log in.

keiojp_mfa2_img_en12


<Back to Page Top>

B. Login using Okta Verify (code entry)

Launch "Okta Verify" (TOTP Authenticator app), tap the eye icon, enter the code (six digits) displayed, and click/tap "Verify" to log in.

keiojp_mfa2_img_en22


<Back to Page Top>

C. Login using Okta Verify (push notification)

A push notification will be sent to the smartphone or tablet with "Okta Verify" (TOTP Authenticator app) installed. Tap "Yes, it’s me" on the device. If the authentication is successful, you will be logged in automatically.

keiojp_mfa2_img_en113


<Back to Page Top>

D. Login using Phone (SMS)

Receive the authentication code via SMS/voice call to the registered phone number.

keiojp_mfa2_img_en24
  • If you select "Receive Code via SMS"
    A one-time authentication code will be sent to the specified phone number via SMS.
    Enter the code and click/tap "Verify" to log in.
    keiojp_mfa2_img_en25
  • If you select "Receive a Call Instead"
    A voice call will be made to the specified phone number.
    Enter the code provided by the voice guide and click/tap "Verify" to log in.
    keiojp_mfa2_img_en26


<Back to Page Top>

E. Login using Security Key or Biometric Authenticator

Log in using the registered security key or biometric authenticator.

  1. Click/Tap "Verify."
    keiojp_mfa2_img_en27
  2. Follow the instructions displayed to log in. (Image shows an example of Face ID)
    keiojp_mfa2_img_en28


<Back to Page Top>

Manage Authentication Factors

This section explains how to add or delete authentication factors.

  • Due to system specifications, the maximum number of registrations for Okta Verify/FIDO/Phone is 10 in total.
  • Due to system specifications, the maximum number of registrations for "Google Authenticator" or "Microsoft Authenticator" is 1.
    If you want to change your device, please delete the registered device first, and then re-register.


Add Authentication Factors

  1. Access the MFA settings page and log in with your keio.jp account (ID, password). If MFA is enabled, log in using the registered authentication factor.
  2. If the "Edit Profile" button is displayed, click/tap it.
    (Even if MFA is not enabled, the MFA screen will be displayed, so log in using the registered authentication method)
    If the "Edit Profile" button is not displayed, proceed to step 3.
    keiojp_mfa2_img_en29
  3. Click/Tap "Set Up Another" for the authentication factor you want to add.
    (If you are asked for a password or MFA when clicking/tapping "Set Up Another," please enter it again)
    The addition method is the same as the registration method for the first device.
    keiojp_mfa2_img_en30

<Back to Page Top>

Delete Authentication Factors

  • If you delete all authentication factors while MFA is enabled, the MFA registration screen will be forcibly displayed the next time you log in.
    If you want to disable MFA, please follow the steps in Deactivate Multi-Factor Authentication (MFA).
    If you have no authentication factors available for MFA and cannot log in, please consult your nearest KIC office.
  1. Access the MFA settings page and log in with your keio.jp account (ID, password). If MFA is enabled, log in using the registered authentication factor.
  2. Click/Tap "Delete" for the authentication factor you want to delete.
    keiojp_mfa2_img_en31
  3. You will be asked to confirm the deletion, click/tap "Yes.".
    (If you are asked for a password or MFA when clicking/tapping "Yes," please enter it again)
    keiojp_mfa2_img_en32

<Back to Page Top>

Disable/Deactivate Multi-Factor Authentication (MFA)

Temporarily Disable MFA

If you wish to temporarily disable the MFA that has been enabled due to issues such as theft, loss, malfunction of authentication factors, or inability to log in, please consult your nearest KIC office with the following "Identity Verification Documents".

【Examples of Identity Verification Documents】

  • Faculty/Staff
    • Faculty/Staff ID (ID from other universities is not accepted)
    • Driver's License (Japanese only)
    • Driving History Certificate (issued on or after April 1, 2012)
    • Passport
    • Health Insurance Card
    • Residence Card
  • Students
    • Student ID (ID from other universities is not accepted)

Even if MFA is temporarily disabled, the registered information (phone numbers, FIDO authenticator information, TOTP registration information, etc.) will remain.
MFA will be automatically re-enabled based on the registered information 12 hours later.
During the temporary suspension of MFA, MFA via Keio Mail will be available, so if you need to delete authentication factors or disable MFA due to theft, loss, malfunction, etc., please use it to do so.



Multi-Factor Authentication via Keio Mail

  1. Click/Tap "Send Email."
    Please ensure that you can receive emails from the "@okta.com" domain.
    keiojp_mfa2_img_en33
  2. An email will be sent to your Keio Mail, so log in using one of the following methods.
    • Log in using the verification link in the email → Click/Tap "Sign In" in the received email to log in.
      keiojp_mfa2_img_en1183

    • Log in using the verification code
      1. Click/Tap "Enter Verification Code Instead."
        keiojp_mfa2_img_en1182
      2. Enter the six-digit code in the received email and click/tap "Verify" to log in.
        keiojp_mfa2_img_en1181

<Back to Page Top>

Deactivate MFA(Only during trial period)

  • Deactivating the enabled MFA is only possible during the trial period (June 2022 onwards).
    Once the trial period ends and the system moves to full operation, deactivation will no longer be possible (temporary suspension will still be available).
  • To deactivate MFA, log in to the MFA settings page.
    If you cannot deactivate MFA due to theft, loss, malfunction of authentication factors, etc., first ensure that "Multi-Factor Authentication via Keio Mail" is available by following the steps in "Temporarily Disable MFA."
  • Even if you deactivate MFA, the registered information (phone numbers, FIDO authenticator information, TOTP registration information, etc.) will remain unless explicitly deleted.
    If MFA is re-enabled, it will be activated based on the previously registered information.


  1. Access the MFA settings page and log in with your keio.jp account (ID, password) and registered authentication factor or "Multi-Factor Authentication via Keio Mail."
  2. Click/Tap "Edit" in the personal information section.
    keiojp_mfa2_img_en119
  3. Change the multi-factor authentication section from "Enable" to "Disable" and click/tap "Save."
    keiojp_mfa2_img_en120

With this, MFA will be deactivated for the corresponding account.

<Back to Page Top>


If You Need Help

Frequently Asked Questions (FAQ)

  1. Is it mandatory to set up Multi-Factor Authentication (MFA)?
  2. Why do we need to do something so complicated?
  3. Will Google Workspace, Zoom, K-LMS, Box, etc., linked to keio.jp, also require MFA?
  4. I forgot all the registered authentication factors (such as smartphones or FIDO keys). I have a class soon. What can I do?
  5. I lost or my registered authentication factor (such as a smartphone or FIDO key) malfunctioned, and I don't have any available. Can I deactivate MFA?
  6. I want to change/upgrade the registered smartphone/tablet. What should I do?
  7. I lost or my registered smartphone was stolen.
  8. When trying to add a TOTP authenticator extension to Chrome/Edge browser, it says "You do not have permission" and cannot be added.
  9. Is MFA required when connecting to Wi-Fi (keiomobile2/eduroam)?
  10. Every time I perform One-Time Password authentication (SMS/voice call), I receive a call from an unfamiliar number. Why?
  11. I cannot log in using TOTP (Time-based One Time Password) only.
  12. I have multiple smartphones/tablets. Can I add TOTP and FIDO devices (register multiple devices)?
  13. What is the difference between Multi-Factor Authentication and Multi-Step Authentication?
  14. I want to deactivate Multi-Factor Authentication (MFA).
  15. I want to perform TOTP authentication using only a PC, without a smartphone/tablet.
  16. Can I delete a TOTP authentication factor?
  17. MFA is not enabled, but the MFA screen appears when adding/deleting authentication factors or enabling MFA.
  18. MFA is enabled, but the MFA screen does not appear when logging into keio.jp on classroom PCs.

<Back to Page Top>


Q1. Is it mandatory to set up Multi-Factor Authentication (MFA)?

As of August 2024, only those who wish to use it (those who have set it up) are required to do so.
MFA will not be enabled unless you complete the initial setup (authentication will remain as ID and password only, as before).
Ultimately, it is planned to be implemented universally (mandatory) in the future (date undecided), so early setup is recommended.


Q2. Why do we need to do something so complicated?

MFA is introduced to strengthen security and protect your data (and the data of the institution).

<Back to FAQ Top>

Q3. Will Google Workspace, Zoom, K-LMS, Box, etc., linked to keio.jp, also require MFA?

If MFA is enabled on keio.jp, all applications using keio.jp authentication will require MFA. No additional settings are required on the app side.


Q4. I forgot all the registered authentication factors (such as smartphones or FIDO keys). I have a class soon. What can I do?

You can temporarily disable MFA at your nearest KIC office (see "Temporarily Disable MFA"). Please consult your nearest KIC office with your identity verification documents.
After that, during the current trial period (as of August 2024), you can deactivate it yourself (see "Deactivate MFA (Only during trial period)").

<Back to FAQ Top>

Q5. I lost or my registered authentication factor (such as a smartphone or FIDO key) malfunctioned, and I don't have any available. Can I deactivate MFA?

You can temporarily disable MFA at your nearest KIC office (see "Temporarily Disable MFA"). Please consult your nearest KIC office with your identity verification documents.
After that, during the current trial period (as of August 2024), you can deactivate it yourself (see "Deactivate MFA (Only during trial period)").


Q6. I want to change/upgrade the registered smartphone/tablet. What should I do?

Please refer to "Change/Upgrade Registered Smartphone/Tablet."

<Back to FAQ Top>

Q7. I lost or my registered smartphone was stolen.

Please quickly perform remote locking, line locking, and usage suspension procedures (please refer to the website of each carrier for details).
If you need to temporarily disable MFA, please consult your nearest KIC office with your identity verification documents (see "Temporarily Disable MFA").


Q8. When trying to add a TOTP authenticator extension to Chrome/Edge browser, it says "You do not have permission" and cannot be added.

It seems that you are logged in to the Chrome/Edge browser with your keio.jp account (xxxx@keio.jp). Please try again after logging out.

<Back to FAQ Top>

Q09. Is MFA required when connecting to Wi-Fi (keiomobile2/eduroam)?

No. Even if MFA is enabled, under the current system, MFA is not required when connecting to campus Wi-Fi (keiomobile2/eduroam) (it remains as before).


Q10. Every time I perform One-Time Password authentication (SMS/voice call), I receive a call from an unfamiliar number. Why?

There are several numbers used for SMS sending or voice call initiation from this service, which are randomly selected.

<Back to FAQ Top>

Q11. I cannot log in using TOTP (Time-based One Time Password) only.

Is the time on your device (PC/smartphone/tablet) accurate? Is the time zone set to a different region, and only the time is set to Japan Standard Time?
TOTP calculations use time information. If the clock on your device is incorrect, TOTP will not be calculated correctly, and you will not be able to log in. It is recommended to set the clock on your device (PC/smartphone/tablet) to automatic.


Q12. I have multiple smartphones/tablets. Can I add TOTP and FIDO devices (register multiple devices)?

Yes, you can. Please refer to Add Authentication Factors.

<Back to FAQ Top>

Q13. What is the difference between Multi-Factor Authentication and Multi-Step Authentication?

Both Multi-Factor Authentication and Multi-Step Authentication involve multiple authentication steps. Multi-Factor Authentication uses multiple "factors" (knowledge, possession, biometrics) for authentication. On the other hand, a two-step authentication with knowledge-based information such as ID/password followed by a security question is performed twice but uses only one "factor" of knowledge information. Therefore, Multi-Factor Authentication is considered safer, even with the same number of authentication steps.


Q14. I want to deactivate Multi-Factor Authentication (MFA).

Please refer to "Deactivate MFA (Only during trial period)."

<Back to FAQ Top>

Q15. I want to perform TOTP authentication using only a PC, without a smartphone/tablet.

Please refer to "MFA: Using TOTP (Authenticator) on a PC."


Q16. Can I delete a TOTP authentication factor?

Yes, you can. (Reference: Delete Authentication Factors)

<Back to FAQ Top>

Q17. MFA is not enabled, but the MFA screen appears when adding/deleting authentication factors or enabling MFA.

Due to system specifications, if even one authentication factor is registered, the MFA screen will be prompted for adding/deleting authentication factors or enabling MFA, even if MFA is not enabled.


Q18. MFA is enabled, but the MFA screen does not appear when logging into keio.jp on classroom PCs.

For the smooth running of classes, the MFA screen is not displayed when logging into keio.jp from classroom PCs.

<Back to FAQ Top>


Change/Upgrade Registered Smartphone/Tablet

The procedure differs depending on whether there are other registered authentication factors besides the one you are replacing.


There are other registered FIDO/TOTP/Phone numbers besides the one being replaced, and MFA is possible.→ You can handle it yourself

  1. Register the new device under "Add Authentication Factors"
  2. If necessary, delete the old device under "Delete Authentication Factors"

No other FIDO/TOTP/Phone numbers are registered besides the one being replaced, and MFA is not possible.→ Consultation with the KIC office is required

  1. Temporarily disable MFA at your nearest KIC office (see "Temporarily Disable MFA")
  2. Use "Multi-Factor Authentication via Keio Mail" to register the new device under "Add Authentication Factors"
  3. If necessary, delete the old device under "Delete Authentication Factors"


<Back to Page Top>

Last-Modified: September 17, 2024

The content ends at this position.