Two-factor authentication (2FA) will become mandatory for all EU Login accounts on the Funding & Tenders Portal (FTOP), almost certainly by the end of 2023. UKRO understands from talks with Commission colleagues that it will be a gradual process, and nothing will be changed overnight. It is likely that the Commission will pilot mandatory 2FA on a small number of FTOP users first before rolling it out more widely by the end of the year.
While mandatory 2FA will be introduced mainly to help secure EU Login accounts against potential cybersecurity threats, it will effectively also help to enforce the Commission’s individual EU Login accounts policy, which dates back to the beginning of Horizon 2020. Consequently, Horizon 2020/Europe projects using shared mailboxes (e.g. finance@university.ac.uk or euprojects@university.ac.uk) will be affected.
What is two-factor authentication?
Two-factor authentication (or 2FA) is an electronic authentication method in which a user is granted access to a website or application only after successfully presenting two or more pieces of evidence (or factors) to an authentication mechanism: knowledge (something only the user knows), possession (something only the user has), and inherence (something only the user is).
MFA protects user data from being accessed by an unauthorized third party that may have been able to discover a single password.
Why is the Commission introducing mandatory two-factor authentication on EU Login accounts?
The threats to cybersecurity are increasing and the Commission is currently strongly encouraging all users on FTOP to set up two-factor authentication for their EU Login accounts – this is optional at this stage. Every time you log in to your account, a reminder pops up with information on how to set up two-factor authentication to make your account more secure.
What is the impact of mandatory two-factor authentication on shared mailboxes?
As 2FA, in principle, requires the use of a single mobile phone to allow a user to log in to their EU Login account, it will make it impossible for a group of individuals to log in to accounts which are set up using a shared mailbox.
If the use of a mobile device is not an option, there are alternatives for providing the second factor (trusted platform, special USB security key). However, these are not available on all types of devices and are also less convenient and more difficult to handle.
Consequently, once 2FA becomes mandatory, it will be necessary to include individual mailboxes in applications to avoid problems with accessing the relevant accounts on FTOP later. Ongoing Horizon projects – where EU Login accounts based on shared inboxes are used – will also be affected.
While we understand that using shared mailboxes makes it easier to apply for EU funding and to manage Horizon projects for larger teams (especially when people move on), this approach goes against the Commission’s notion of a “chain of trust” which was introduced with online signatures under Horizon 2020 (see below for details).
UKRO recommends that subscribers review their current bids and projects which use shared mailboxes and implement the necessary changes (e.g. add individual accounts to applications/projects) as soon as practically possible. This will help to prevent problems with accessing crucial information about applications and projects in the future.
Why shared mailboxes are not recommended on Horizon projects?
Applicants to Horizon calls and participants in Horizon projects are not supposed to use functional mailboxes. This was clearly communicated to FTOP users at the beginning of Horizon 2020 when electronic signatures were first introduced. Nevertheless, the Commission never strictly enforced this policy under the previous programme and many institutions still use shared mailboxes to manage their projects, although this goes against the idea of the “chain of trust” that the Commission establishes with an institution when it approves its Legal Entity Appointed Representative (LEAR).
The “chain of trust” guarantees signatories’ identity and means that the individuals appointed to specific organisational roles by the LEAR/Account Administrators have the authority and internal permissions to act on behalf of the organisation. Individual accounts allow the Commission to see who performed certain actions on behalf of the participant (e.g. signed the grant agreement or submitted financial statements) and this cannot be questioned or challenged in any way if people were internally appointed to the relevant organisational roles on FTOP.
Shared mailboxes, which are accessible by multiple individuals, go against this idea, as technically, someone without the necessary permissions could perform actions on FTOP, which will have legal or financial consequences for the organisation in accordance with the FTOP Terms and Conditions.
Where can I find out more about two-factor authentication?
The Commission will hold a dedicated webinar on 2FA next week (10 May). It will be recorded, and the video recording will be made available on the event page.
During this event, the Commission will provide information and guidance on how to set up 2FA for EU Login accounts and explain why it will soon become mandatory for everyone using the FTOP, for example, on Horizon 2020/Europe projects.
In the meantime, the following FAQ are available on the Commission’s Portal:
- How do I activate the two-factor authentication for my account on the Funding & Tenders Portal?
- For the two-factor authentication on my account on the Funding & Tenders Portal, do I have to use my private mobile device if my employer does not provide a device for professional use?
- Once I activated two-factor authentication for my account on the Funding & Tenders Portal, how can I retrieve access in case my mobile device is no longer available to me (e.g. loss or theft)?
- When will two-factor authentication for my account on the Funding & Tenders Portal become mandatory?