Microsoft Multi-Factor Authentication (MFA)
About Multi-Factor Authentication (MFA)
Multi-factor authentication is a process where a user is prompted during the sign-in process for an additional form of identification, such as entering a code on their cellphone or providing a fingerprint scan.
If you only use a password to authenticate a user, it leaves an insecure vector for attack. If the password is weak or has been exposed elsewhere, is it really the user signing in with the username and password, or is it an attacker? When you require a second form of authentication, security is increased as this additional factor isn't something that's easy for an attacker to obtain or duplicate.
How to Enroll in Microsoft MFA
Please click here for a guide on enrolling in Microsoft MFA.
1)To pre-register, please configure your account here
- This will configure your account for MFA, but not enforce it.
2) To enable MFA on your account please enable it here
- This will enforce MFA on your account. If you are not pre-registed, then you will have to register on your next log in.
Download the App
Frequently Asked Questions
Multi-factor authentication is a process where a user is prompted during the sign-in process for an additional form of identification, such as to enter a code on their cellphone or to provide a fingerprint scan.
If you only use a password to authenticate a user, it leaves an insecure vector for attack. If the password is weak or has been exposed elsewhere, is it really the user signing in with the username and password, or is it an attacker? When you require a second form of authentication, security is increased as this additional factor is not something that is easy for an attacker to obtain or duplicate.
Multi-Factor Authentication is the single best step you can take to protect your digital identity.
It is one simple action you can take to prevent 99.9 percent of attacks on your account.
Please refer to the following links for more information about Multi-Factor Authentication.
Currently all faculty and staff will be impacted by MFA.
Current Applications that are protected by MFA:
Any Office 365 applications including:
- Outlook, Teams, OneDrive
Fortigate SSL VPN
Generally speaking, you will be asked to respond to an MFA challenge every 90 days from each authenticated application or browser. This frequency may increase or decrease based on risk factors. Logins from outside the USA will always ask for MFA, logins from on-campus will not ask for MFA. VPN logins will always require MFA (after November 25th, 2020).
If you are using desktop Microsoft products, you will have to use MFA once. Unless you are forced to re-authenticate.
Most other web applications will honor the 90 Day “remembered” setting. There may be future applications that will require you to MFA more regularly.
Microsoft Authenticator (Preferred Method)
- Microsoft authenticator is the preferred solution for approving MFA requests. It provides simple push notifications so the user does not have to enter codes into the authentication dialogue, and can generate 6 digit TOTP codes if needed.
- Users can receive text messages / SMS containing codes they an enter to approve the authentication.
- Users can register a cell or landline phone number to receive call that prompts them to approve the authentication.
Trusted devices and Locations
To make MFA rollout as smooth as possible, we have created two scenarios where your location or device will act as the additional authentication factor for MFA:
- Logins from on-campus will not receive an additional MFA challenge (satisfied with something you know and somewhere you are).
- Logins from University owned and managed machines will not require an MFA challenge (please contact email@example.com to use this option).
Other Time-based One-time Password algorithm (TOTP) Authenticators
MFA works with any 3rd party authenticator that uses the TOTP protocol. This allows users to use an existing TOTP authenticator they may already have for their bank, personal email account, or video game service. While the University allows the use of third party applications as an MFA factor, we cannot provide support due to the variety of solutions out there.
- Mobile TOTP Applications: Authenticator apps such as Google Authenticator, Last Pass, DUO, and Authy are all compatible with Microsoft MFA. Several authenticator apps are also available for Android Wear and the Apple Watch.
- Desktop TOTP Applications: Desktop applications such as WinOTP Authenticator for Windows, Step Two for MacOS, and KeePassXC for Linux (and other platforms).
- Web Based TOTP Applications: Web services such as Authy can provide TOTP generation. Some of these web services also have companion apps for mobile and desktop devices.
- Hardware TOTP Tokens: Stand-alone TOTP authenticators are generally available and will work with Microsoft MFA. YubiKeys are also supported, though they require use of the Yubico Authenticator to generate TOTP codes.
Single Factor only Applications (POP, IMAP, SMTP)
- Microsoft MFA can support application passwords to allow users to continue to use legacy mail applications that communicate using POP, IMAP, and SMTP. Clients using these protocols were not created to handle a multi-factor authentication dialogue, so application specific passwords (single factor passwords that are only usable for POP, IMAP, and SMTP) are required. To use application passwords, please contact firstname.lastname@example.org . This configuration will require you to always use two factor for all new authentications (with a 90 day renewal frequency), regardless of location or device management.
You can update your authentication methods here.
If a user is in need of special accommodation, please contact email@example.com. We are happy to work with you to get your personal device or adaptive technology configured to seamlessly support MFA.