Talk:Multi-Factor Authentication

DRAFT

Frequently Asked Questions.

What is multifactor authentication and why is it necessary?

Multifactor authentication will use what you know, such as a password, and what you have, such as the Microsoft Authenticator app, as two different forms of authentication. Having multiple requirements to verify identity when logging into services is the best form of protection against phishing attacks that have become much more common in the last few years. Multifactor authentication can protect access to your account, personal information, and college data in the event that a malicious actor obtains your password.

General Multifactor Authentication Questions

Is MFA Required?

MFA is expected to be required by the end of the 2024/2025 academic year. A roll-out project will begin in Fall of 2024, which will, by the end of the year, require all students, faculty, and staff to register at least one MFA method. We are encouraging users to opt-in to MFA now; otherwise, it will be enforced on all accounts at a later date. Certain groups will be required to use MFA for certain applications at each stage of the rollout. Eventually, you will need to use MFA for everything you use your Evergreen account for.

Will I be prompted for MFA on campus?

Initially, in most cases, you will be prompted for MFA on campus. We hope to use your location (physical presence on campus) as a second means of authentication. Several other ongoing projects will allow us to do this, but we will not have this ability until they are complete. Some applications on campus that provide access to sensitive information may still require the use of your authenticator.

What applications require MFA?

Many online services accessed through your web browser from off-campus that use your universal account for sign-in will require the use of MFA. This includes Office 365, Zoom, Canvas, and others. Additionally, services and programs that house or facilitate access to sensitive information will require MFA at all times.

I don't have access to one of my authentication methods and I have an urgent need for access

If you do not have access to any of your authentication methods and you need access urgently, a temporary access pass can be issued. A temporary access pass isn't intended to be used as a main method of authentication but is instead an option for accessing your account in an emergency when you are unable to access your previously configured methods. You may receive a pass by contacting The Support Center. We will work with you on its usage, and limitations, and assist you with establishing a long-term authentication solution upon granting a temporary access pass.

Do I have to authenticate with MFA every time I log in?

NEEDS WORK AND CHOICES Typically, no. MFA is required when you sign into a new device, application, or service. You can expect to be prompted for MFA at least every 90 days or sooner.

Some use cases may require more frequent authentication with MFA. Signing in on an incognito tab on a web browser will require MFA as it is seen as a new device. Some applications with access to sensitive information may require MFA once every few hours. There are also cases where suspicious login activity or location may require you to sign into your account with MFA again. When changing your password, including when it expires, you will always be prompted for MFA.

What can I use as a second factor for MFA?

The Microsoft Authenticator app for smart devices is recommended as your primary second factor of authentication. It is the most convenient, robust, and reliable method of authentication. For instructions on how to set up the app, please review the Microsoft Authenticator Setup.

NEEDS WORK AND CHOICES Other options include receiving a text message or phone call. This is less secure and may be subject to availability issues depending on your mobile service.

Lastly, there is the option for a security key (FIDO2 key). A security key is a piece of hardware, typically a USB device, that plugs into your computer and is used as a means to verify your physical presence during login. Each key is unique and must be paired with your account before use. You may see references to the key as a FIDO2 key, named for the security platform it interacts with.

There are some limitations on factors that cannot be used. You will be unable to use your office phone number as the phone system uses Microsoft Teams, which is protected by MFA. You also will be unable to use the alternative email address associated with your account. While this email address can be used for password reset requests, it is unable to be used for MFA.

For more details on alternative options, please review our MFA - Alternative Authentication Methods article.

Can I use multiple forms of MFA at the same time?

Yes. Having multiple forms configured is advantageous as you can use one form as a backup if your primary form fails. You will only be required to provide one of your available methods when prompted for MFA and can choose which method when prompted.

Will MFA work on my phone if I lose cell service and wireless networking?

Yes. If you have installed the Microsoft Authenticator app on your mobile device, you can open the app, tap on your account, and view a one-time password code. You can use this code just like a code sent to you via SMS text message. When authenticating, you may have to choose the option to "Sign in another way" after entering your password and being prompted for MFA. This code is generated using the time of your device, so it will work as long as your device's time is accurate within 30 seconds.

If your only configured method is by receiving a text message or phone call, you will need to reach out to the Technology Support Center for a temporary access pass.

Hardware security keys do not need access to the internet to function.

What if I do not have access to my device and get prompted for MFA?

NEEDS WORK AND CHOICES If you have configured a [[[MFA - Alternative Authentication Methods]] method, you may choose to sign in another way during MFA. If you do not have an alternate method configured, you will have to contact Technolgy Support Center for assistance.

Are there problems with MFA when traveling?

If you plan to travel, you should configure the Microsoft Authenticator app on a smart device. The authenticator app contains functionality for displaying a rotating code that does not require cellular or internet connectivity to function. You may also want to consider configuring a security key (FIDO2 key) as a backup when traveling abroad. For more details on alternative options, please review our MFA - Alternative Authentication Methods article.

What if I don't want to use my cell phone or don't own a cell phone?

Any smart device running Android or iOS can be configured to use the rotating one-time passcode (OTP) option from within the Microsoft Authenticator. This passcode does not require a cellular or internet connection to work and does not transmit or receive data. An old tablet or phone no longer in service can be used for the authenticator app.

If you do not have any smart devices, you may configure a security key (FIDO2 key) that will plug into a computer as a means of identification. More details on how to obtain a security key will be published prior to the requirement for MFA being set. For more details on alternative options, please review our MFA - Alternative Authentication Methods article.

Will my personal device be subject to a public records request because it is used for MFA?

No. All authentication records are stored in the Microsoft Azure cloud, and any information on your personal devices would be redundant. Also, if you use the Authenticator App, there will be no record stored on your device.

How can I get MFA support?

Technical support for MFA is available from The Support Center during their business hours or from your technical support staff.

Common Problems

I am getting prompted for MFA at every logon.

This problem may be due to a browser setting. Check to see if your browser is set to clear cookies every time it is closed. This will cause this behavior. Using incognito browsing will also prompt for MFA each time you log in.

I did not get an SMS text message with a code.

The quick fix is to install and configure the Microsoft Authenticator Setup.

Verify that you can receive text messages on your phone by having a friend or co-worker text you. If you did not receive their texts, there is a problem with your phone or cell service. If not, you may still have a problem if you have configured your phone to block texts from unknown numbers. Using SMS (text messages) for MFA can result in intermittent yet persistent and difficult-to-diagnose problems. If you continue to have trouble authenticating, please contact the Technology Support Center.

I did not get a push notification from the Microsoft Authenticator app.

You must have internet service for the push notification to work. Having your phone on Do Not Disturb, or Focused mode may also prevent the notification from being displayed. Occasionally, you may need to manually open the Microsoft Authenticator app first for the popup to appear.

If you still are not receiving the push notification, you may choose to sign in another way from the authentication prompt. You can then choose to use a verification code. To retrieve the code, open the Microsoft Authenticator app and tap on your account. You will see a six-digit code that rotates every 30 seconds that will be used to verify your identity.

If you continue to have trouble authenticating, please contact the Technology Support Center.