Difference between revisions of "Multi-Factor Authentication - User Guide/FAQ"

Here you'll find answers to common questions about using MFA at Evergreen.

see below:

...

Multi-Factor Authentication

What is authentication?

Authentication is a process by which a person or computer proves they are who they claim to be. An example is a person signing in to a web site by providing their Evergreen ID and password.

What is multi-factor authentication?

Multi factor authentication, also called MFA, 2FA, adds a second layer of security when signing in. Evergreen uses Microsoft Authenticator for MFA. Normally, you verify your identity with a single factor, such as a password, which is something you know. Verifying your identity using a second factor, like a smartphone or hardware token, which is something you have, prevents others from signing in as you, even if they know your password.

How is MFA being used at Evergreen?

Evergreen MFA is used to secure applications that have sensitive institutional data to reduce the risk that this data will get compromised.This service can use a smartphone app, a phone call, or a hardware token as a second factor to authenticate you. Most people use authentication via the smartphone app, Microsoft Authenticator, which runs on a variety of smartphones and tablets.

Who is required to use MFA?

Any system that requires your Evergreen log-in credentials to access. Staff, faculty, and students are required to use MFA.

Why do I need MFA?

There is a significant increase in the protection of your account with MFA. If you receive a security code or push notification when you are not trying to log in to your account, you'll immediately know that someone else is attempting to do so. If this happens, you should change your password and call the Technology Support Center at (360) 867-6627 or support@evergreen.edu. Alternatively, you may submit a help request at help.evergreen.edu.

• Two-factor adds an extra barrier between your personal information and malicious people, emphasizing the importance of protecting your personal and sensitive information.
• Two-factor can help keep attackers from accessing your email, documents, financial, personal, and health information, or research data.
• Two-factor reduces the risk of hackers using your Evergreen account to perform harmful activities.
• Two-factor helps protect Evergreens systems.

I have nothing confidential in my account; why should I care about MFA?

Most attackers are interested in using your username and password to send hundreds or thousands of phishing messages to other faculty, staff, and students to compromise their computers and gain access to sensitive information. Another common tactic is for hackers to alter your direct deposit information to deposit your paycheck or financial aid into their account instead of yours.

What applications require MFA?

All web-based applications and platforms used at Evergreen, such as the following, will require it:

• my.evergreen
• Canvas
• Microsoft Office products
• Banner

Will I be prompted for MFA on campus?

Yes, you will be prompted for MFA on campus.

How often do I have to re-authenticate?

You may be prompted more frequently if you use a VPN, use multiple computers, or frequently clear your browser cache.

Setup Microsoft Authenticator on Your Device

Can I use my personal smartphone, tablet, or mobile phone for MFA?

Yes! The Microsoft Authenticator we will primarily be using runs on both iOS and Android.

Can I use multiple forms of MFA at the same time?

Yes. Having multiple forms configured is advantageous as you can use one form as a backup if your primary form fails. You will only be required to provide one of your available methods when prompted for MFA and can choose which method. If you have an older phone stored in a safe location you can also install and setup Microsoft Authenticator on it so that you have a backup device just in case.

Can employees use a personal device for MFA, even for conducting college business?

Yes! Employees can use personal devices for MFA, even for university business.

Will my device be subject to a public records request because it is used for MFA?

No. If you use the Microsoft Authenticator app, there will be no record on your device. All authentication records are stored in the Microsoft Azure cloud, and any information on your devices would be redundant.

Use One-Time Password Codes Without Data Service

If you're in a location where your phone doesn’t have data service, you can still use the Microsoft Authenticator App to complete MFA. The app generates a one-time password code (OTP) even without an internet connection. Simply open the Authenticator App, click on your Evergreen account, and use the code displayed under your account name. This ensures you can always log in, even in areas with limited connectivity.

Use Microsoft Authenticator with Face ID or Passcode on iOS

Did you know you can streamline using the Microsoft Authenticator App on iOS by allowing it to unlock using Face ID or your phone's passcode?

Steps to Enable:

• Open your iPhone settings.
• Go to Settings → Face ID & Passcode.
• Select Other Apps and enable Face ID for the Microsoft Authenticator App.

This makes accessing your authentication prompts faster and more secure while still maintaining ease of use.

Use Biometrics to Unlock Microsoft Authenticator on Android

On Android devices, you can configure biometric authentication (like fingerprint or face unlock) for specific apps, including Microsoft Authenticator, even if your phone unlocks with a passcode.

Steps to Enable:

• Open the Microsoft Authenticator App on your Android phone.
• Tap the three-dot menu (or your account icon) in the top-right corner.
• Go to Settings.
• Enable the App Lock option.
• Follow the prompts to allow the app to use your phone's biometric authentication method (e.g., fingerprint or face unlock).

This allows you to unlock your phone with a passcode and quickly access the Authenticator App with biometrics for added convenience.

How can I troubleshoot my MFA access?

To troubleshoot your MFA access, please ensure your Microsoft Authenticator app is adequately set up and your device is connected to the internet. If issues persist, contact the Technology Support Center at support@evergreen.edu or request help at help.evergreen.edu.

Why is the Microsoft Authenticator app requesting a 4-digit PIN or Face ID?

Microsoft Authenticator enables app lock by default. App lock uses your phone's security features. So, in addition to unlocking your phone, you must also unlock the Microsoft Authenticator app. For example, if you use a 4-digit PIN to secure your phone, you must use that same 4-digit PIN to unlock the Authenticator app. Similarly, if you use an Apple phone and have Face ID enabled, it will require that.

You may disable Microsoft's Authenticator app lock by following these steps:

1. Open the Microsoft Authenticator app.
2. In the top right-hand corner, select three horizontal dots.
3. Select Settings.
4. Under Security, toggle App Lock to off.

How can I get MFA support?

Technical support for MFA is available from the Technology Support Center during business hours or from your technical support staff.

Alternative MFA Options

What can I use as a second factor for MFA?

The Microsoft Authenticator app for smart devices is recommended as your primary second authentication factor. It is the most convenient, robust, and reliable method. For instructions on how to set up the app, please review the Microsoft Authenticator Setup.

Please review our MFA - Alternative Authentication Methods article for details on alternative options.

MFA Token

Tokens work by pushing a button that displays a code that is good for 30 seconds. When logging into an application like outlook a person is prompted to enter in a code from the token after successfully entering their password. Tokens are not plugged into the computers. They are carried by the person issued the token.

Will MFA work on my phone if I lose cell service and wireless networking?

Yes. If you have installed the Microsoft Authenticator app on your mobile device, you can open the app, tap on your account, and view a one-time password code. You can use this code just like an SMS text message. When authenticating, you may have to choose "Sign in another way" after entering your password and being prompted for MFA. This code is generated using your device's time, so it will work as long as your device's time is accurate within 30 seconds.

If your only configured method is receiving a text message or phone call, you will need to contact the Technology Support Center for a temporary access pass.

Common Issues

What if I cannot access my primary MFA device and get prompted for MFA?

If you have configured a MFA - Alternative Authentication Methods method, you may choose to sign in another way during MFA. If you do not have an alternate method configured, you must contact Technology Support Center for assistance.

I don't have access to one of my authentication methods, and I have an urgent need for access

If you do not have access to any authentication methods and need access urgently, a temporary access pass can be issued. A temporary access pass isn't intended as a primary authentication method. Still, it is an option for accessing your account in an emergency when you cannot access your previously configured methods. You may receive a pass by contacting the Technology Support Center (TSC). We will work with you on its usage and limitations and assist you with establishing a long-term authentication solution upon granting a temporary access pass. The TSC will require you to prove that you are in fact you though various means before issuing a temporary access pass.

I am buying a new phone. How do I am sure that I can still use MFA

Follow the instructions for setting up MFA on your new phone before you reset or otherwise get rid of your old phone. Microsoft Authenticator Setup You can actually have several devices setup with the Authenticator app at once. This will make it easy for you to switch to your new phone.

Are there problems with MFA when traveling?

If you plan to travel, you should configure the Microsoft Authenticator app on a smart device. The authenticator app contains functionality for displaying a rotating code that does not require cellular or internet connectivity to function.

I am getting prompted for MFA at every logon.

This problem may be due to a browser setting. Check to see if your browser is set to clear cookies every time it is closed. This setting will cause this behavior. Using incognito browsing will also prompt for MFA each time you log in.

I did not get a push notification from the Microsoft Authenticator app.

You must have internet service for the push notification to work. Having your phone on Do Not Disturb or Focused mode may also prevent the notification from being displayed. Occasionally, you may need to manually open the Microsoft Authenticator app first for the popup to appear.

If you still have not received the push notification, you may sign in another way from the authentication prompt. You can then choose to use a verification code. To retrieve the code, open the Microsoft Authenticator app and tap on your account. You will see a six-digit code that rotates every 30 seconds that will be used to verify your identity.

If you continue to have trouble authenticating, please contact the Technology Support Center.

Why does my Authenticator app display advertisements?

If your authenticator app displays advertisements, you are using a third-party authenticator app. Evergreen strongly recommends that Greener community members use the Microsoft Authenticator app. The Microsoft Authenticator app does not display advertisements.

You may view our Microsoft Authenticator Setup guide. This guide will walk you through adding a different method, such as the Microsoft Authenticator app, and removing the third-party authenticator app.