Difference between revisions of "Talk:Multi-Factor Authentication"

DRAFT

Frequently Asked Questions.

What is multifactor authentication and why is it necessary?

Multifactor authentication will use what you know, such as a password, and what you have, such as the Microsoft Authenticator app, as two different forms of authentication. Having multiple requirements to verify identity when logging into services is the best form of protection against phishing attacks that have become much more common in the last few years. Multifactor authentication can protect access to your account, personal information, and college data in the event that a malicious actor obtains your password.

Is MFA Required?

MFA is expected to be required by the end of the 2024/2025 academic year. A roll-out project will begin in Fall of 2024, which will, by the end of the year, require all students, faculty, and staff to register at least one MFA method. We are encouraging users to opt-in to MFA now; otherwise, it will be enforced on all accounts at a later date. Certain groups will be required to use MFA for certain applications at each stage of the rollout. Eventually, you will need to use MFA for everything you use your Evergreen account for.

Can I use my personal smartphone, tablet, or mobile phone for MFA?

Yes! The university values personal choice and recognizes the convenience of using a personal device for MFA.

Can employees use a personal device for MFA, even for conducting university business?

Yes! Employees can use a personal device for MFA, even for university business. A personal device enables safe and convenient multi-factor authentication to systems used to conduct university business. "Bring your own device" (BYOD) is a common operational model that acknowledges trends in society toward the use of personal devices for user authentication.

How can I troubleshoot my MFA access?

NEEDS WORK AND CHOICES If you run into issues with Multi-factor Authentication

Will my personal device be subject to a public records request because it is used for MFA?

No. If you use the Microsoft Authenticator app, there will be no record on your device. All authentication records are stored in the Microsoft Azure cloud, and any information on your personal devices would be redundant.

Why is the Microsoft Authenticator app requesting a 4-digit pin or Face ID?

Microsoft Authenticator enables app lock by default. App lock uses your phone's security features. So, in addition to unlocking your phone, you must also unlock the Microsoft Authenticator app. For example, if you use a 4-digit pin to secure your phone, you must use that same 4-digit pin to unlock the Authenticator app. Similarly if you use an Apple phone and have Face ID enabled it will require that.

You may disable Microsoft's Authenticator app lock by following these steps:

1. Open the Microsoft Authenticator app.
2. In the top right-hand corner, select three horizontal dots.
3. Select Settings.
4. Under Security, toggle App Lock to off.

Why does my Authenticator app display advertisements?

If your Authenticator app displays advertisements, then you are using a third party's authenticator app. CWU strongly recommends Wildcat community members use the Microsoft Authenticator app. The Microsoft Authenticator app does not display advertisements.

You may view our Microsoft Authenticator Setup guide. This guide will guide you step-by-step on how to add a different method, such as the Microsoft Authenticator app, and remove the third-party authenticator app.

What applications require MFA?

• Initially only my.evergreen.edu for faculty will require it.

Eventually most applications including the following will require it.

• Canvas
• Microsoft Office products
• And several of our web-based single sign-on applications

How often do I have to re-authenticate?

You may be prompted more frequently if you use VPN, if you use more than one computer, or if you frequently clear your browser cache.

I don't have anything confidential in my account, why should I care about MFA?

Most attackers are interested in using your username and password to send out hundreds or thousands of phishing messages to other faculty, staff, and students in an attempt to compromise their computers and get access to sensitive information. Another very common tactic is for hackers to alter your direct deposit information so your paycheck or, if you are a student, financial aid is deposited into their account instead of yours.

What are the benefits of using MFA?

The main benefit of using multi-factor authentication is a significant increase in the protection of your account. If you receive a security code or push notification when you are not trying to log in to your account, you'll immediately know that someone else is attempting to do so. If this does happen, you should change your password and call Tecnology Support Center at (360) 867-6627. The TSC is available Monday through Friday. Outside these hours use the [help link] and and send us a ticket.

• Two-factor adds an extra barrier between your personal information and malicious people.
• Two-factor can help keep attackers from accessing your email, documents, financial, personal, and health information, or research data.
• Two-factor reduces the risk of hackers using your Evergreen account to perform harmful activities.
• Two-factor helps protect Evergreens systems.

Will I be prompted for MFA on campus?

Initially, in most cases, you will be prompted for MFA on campus. We hope to use your location (physical presence on campus) as a second means of authentication. Several other ongoing projects will allow us to do this, but we will not have this ability until they are complete. Some applications on campus that provide access to sensitive information may still require the use of your authenticator.

I don't have access to one of my authentication methods and I have an urgent need for access

If you do not have access to any of your authentication methods and you need access urgently, a temporary access pass can be issued. A temporary access pass isn't intended to be used as a main method of authentication but is instead an option for accessing your account in an emergency when you are unable to access your previously configured methods. You may receive a pass by contacting The Support Center. We will work with you on its usage, and limitations, and assist you with establishing a long-term authentication solution upon granting a temporary access pass.

What can I use as a second factor for MFA?

The Microsoft Authenticator app for smart devices is recommended as your primary second factor of authentication. It is the most convenient, robust, and reliable method of authentication. For instructions on how to set up the app, please review the Microsoft Authenticator Setup.

NEEDS WORK AND CHOICES Other options include receiving a text message or phone call. This is less secure and may be subject to availability issues depending on your mobile service.

There are some limitations on factors that cannot be used. You will be unable to use your office phone number as the phone system will use Microsoft Teams, which is protected by MFA. You also will be unable to use the alternative email address associated with your account. While this email address can be used for password reset requests, it is unable to be used for MFA.

For more details on alternative options, please review our MFA - Alternative Authentication Methods article.

Can I use multiple forms of MFA at the same time?

Yes. Having multiple forms configured is advantageous as you can use one form as a backup if your primary form fails. You will only be required to provide one of your available methods when prompted for MFA and can choose which method when prompted.

Will MFA work on my phone if I lose cell service and wireless networking?

Yes. If you have installed the Microsoft Authenticator app on your mobile device, you can open the app, tap on your account, and view a one-time password code. You can use this code just like a code sent to you via SMS text message. When authenticating, you may have to choose the option to "Sign in another way" after entering your password and being prompted for MFA. This code is generated using the time of your device, so it will work as long as your device's time is accurate within 30 seconds.

If your only configured method is by receiving a text message or phone call, you will need to reach out to the Technology Support Center for a temporary access pass.

What if I do not have access to my device and get prompted for MFA?

NEEDS WORK AND CHOICES If you have configured a MFA - Alternative Authentication Methods method, you may choose to sign in another way during MFA. If you do not have an alternate method configured, you will have to contact Technolgy Support Center for assistance.

Are there problems with MFA when traveling?

If you plan to travel, you should configure the Microsoft Authenticator app on a smart device. The authenticator app contains functionality for displaying a rotating code that does not require cellular or internet connectivity to function.

What if I don't want to use my cell phone or don't own a cell phone?

Any smart device running Android or iOS can be configured to use the rotating one-time passcode (OTP) option from within the Microsoft Authenticator. This passcode does not require a cellular or internet connection to work and does not transmit or receive data. An old tablet or phone no longer in service can be used for the authenticator app.

How can I get MFA support?

Technical support for MFA is available from The Support Center during their business hours or from your technical support staff.

Common Problems

I am getting prompted for MFA at every logon.

This problem may be due to a browser setting. Check to see if your browser is set to clear cookies every time it is closed. This will cause this behavior. Using incognito browsing will also prompt for MFA each time you log in.

I did not get an SMS text message with a code.

The quick fix is to install and configure the Microsoft Authenticator Setup.

Verify that you can receive text messages on your phone by having a friend or co-worker text you. If you did not receive their texts, there is a problem with your phone or cell service. If not, you may still have a problem if you have configured your phone to block texts from unknown numbers. Using SMS (text messages) for MFA can result in intermittent yet persistent and difficult-to-diagnose problems. If you continue to have trouble authenticating, please contact the Technology Support Center.

I did not get a push notification from the Microsoft Authenticator app.

You must have internet service for the push notification to work. Having your phone on Do Not Disturb, or Focused mode may also prevent the notification from being displayed. Occasionally, you may need to manually open the Microsoft Authenticator app first for the popup to appear.

If you still are not receiving the push notification, you may choose to sign in another way from the authentication prompt. You can then choose to use a verification code. To retrieve the code, open the Microsoft Authenticator app and tap on your account. You will see a six-digit code that rotates every 30 seconds that will be used to verify your identity.

If you continue to have trouble authenticating, please contact the Technology Support Center.