Multi-Factor Authentication - User Guide/FAQ

DRAFT

Can I use my personal smartphone, tablet, or mobile phone for MFA?

Yes! The university values personal choice and recognizes the convenience of using a personal device for MFA.

Can employees use a personal device for MFA, even for conducting university business?

Yes! Employees can use personal devices for MFA, even for university business. "Bring your own device" (BYOD) is a standard operational model that acknowledges societal trends toward using personal devices for user authentication.

How can I troubleshoot my MFA access?

To troubleshoot your MFA access, please ensure your Microsoft Authenticator app is adequately set up and your device is connected to the internet. If issues persist, contact the Technology Helpdesk at support@evergreen.edu or request help at help.evergreen.edu.

Will my personal device be subject to a public records request because it is used for MFA?

No. If you use the Microsoft Authenticator app, there will be no record on your device. All authentication records are stored in the Microsoft Azure cloud, and any information on your devices would be redundant.

Why is the Microsoft Authenticator app requesting a 4-digit PIN or Face ID?

Microsoft Authenticator enables app lock by default. App lock uses your phone's security features. So, in addition to unlocking your phone, you must also unlock the Microsoft Authenticator app. For example, if you use a 4-digit PIN to secure your phone, you must use that same 4-digit PIN to unlock the Authenticator app. Similarly, if you use an Apple phone and have Face ID enabled, it will require that.

You may disable Microsoft's Authenticator app lock by following these steps:

1. Open the Microsoft Authenticator app.
2. In the top right-hand corner, select three horizontal dots.
3. Select Settings.
4. Under Security, toggle App Lock to off.

Why does my Authenticator app display advertisements?

If your Authenticator app displays advertisements, you are using a third-party authenticator app. Evergreen strongly recommends that Greener community members use the Microsoft Authenticator app. The Microsoft Authenticator app does not display advertisements.

You may view our Microsoft Authenticator Setup guide. This guide will walk you step-by-step through adding a different method, such as the Microsoft Authenticator app, and removing the third-party authenticator app.

What applications require MFA?

• Initially, only my.evergreen.edu for faculty will require it.

Eventually, most applications, including the following, will require it.

• Canvas
• Microsoft Office products
• And several of our web-based single sign-on applications

How often do I have to re-authenticate?

You may be prompted more frequently if you use a VPN, use more than one computer, or frequently clear your browser cache.

I have nothing confidential in my account; why should I care about MFA?

Most attackers are interested in using your username and password to send hundreds or thousands of phishing messages to other faculty, staff, and students to compromise their computers and gain access to sensitive information. Another common tactic is for hackers to alter your direct deposit information to deposit your paycheck or financial aid into their account instead of yours.

What are the benefits of using MFA?

The main benefit of using multi-factor authentication is a significant increase in the protection of your account. If you receive a security code or push notification when you are not trying to log in to your account, you'll immediately know that someone else is attempting to do so. If this does happen, you should change your password and call the Technology Support Center at (360) 867-6627. The TSC is available Monday through Friday. Use the [help link] and send us a ticket outside these hours.

• Two-factor adds an extra barrier between your personal information and malicious people, emphasizing the importance of protecting your personal and sensitive information.
• Two-factor can help keep attackers from accessing your email, documents, financial, personal, and health information, or research data.
• Two-factor reduces the risk of hackers using your Evergreen account to perform harmful activities.
• Two-factor helps protect Evergreens systems.

Will I be prompted for MFA on campus?

Initially, in most cases, you will be prompted for MFA on campus. We hope to use your location (physical presence on campus) as a second means of authentication. Several other ongoing projects will allow us to do this, but we will not have this ability until they are complete. Some applications on campus that provide access to sensitive information may still require using your authenticator.

I don't have access to one of my authentication methods, and I have an urgent need for access

If you do not have access to any authentication methods and need access urgently, a temporary access pass can be issued. A temporary access pass isn't intended as a primary authentication method. Still, it is an option for accessing your account in an emergency when you cannot access your previously configured methods. You may receive a pass by contacting The Technology Support Center. We will work with you on its usage and limitations and assist you with establishing a long-term authentication solution upon granting a temporary access pass.

What can I use as a second factor for MFA?

The Microsoft Authenticator app for smart devices is recommended as your primary second authentication factor. It is the most convenient, robust, and reliable method. For instructions on how to set up the app, please review the Microsoft Authenticator Setup.

There are some limitations on factors that cannot be used. You cannot use your office phone number as the phone system will use Microsoft Teams, which MFA protects. You also cannot use the alternative email address associated with your account. While this email address can be used for password reset requests, it cannot be used for MFA.

Please review our MFA - Alternative Authentication Methods article for more details on alternative options.

Can I use multiple forms of MFA at the same time?

Yes. Having multiple forms configured is advantageous as you can use one form as a backup if your primary form fails. You will only be required to provide one of your available methods when prompted for MFA and can choose which method when prompted.

Will MFA work on my phone if I lose cell service and wireless networking?

Yes. If you have installed the Microsoft Authenticator app on your mobile device, you can open the app, tap on your account, and view a one-time password code. You can use this code just like an SMS text message. When authenticating, you may have to choose "Sign in another way" after entering your password and being prompted for MFA. This code is generated using the time of your device, so it will work as long as your device's time is accurate within 30 seconds.

If your only configured method is receiving a text message or phone call, you will need to contact the Technology Support Center for a temporary access pass.

What if I cannot access my device and get prompted for MFA?

If you have configured a MFA - Alternative Authentication Methods method, you may choose to sign in another way during MFA. If you do not have an alternate method configured, you must contact Technolgy Support Center for assistance.

Are there problems with MFA when traveling?

If you plan to travel, you should configure the Microsoft Authenticator app on a smart device. The authenticator app contains functionality for displaying a rotating code that does not require cellular or internet connectivity to function.

What if I don't want to use my cell phone or don't own a cell phone?

Any Android or iOS smart device can be configured to use the rotating one-time passcode (OTP) option from within the Microsoft Authenticator. This passcode does not require a cellular or internet connection and does not transmit or receive data. An old tablet or phone no longer in service can be used for the authenticator app.

How can I get MFA support?

Technical support for MFA is available from The Support Center during business hours or from your technical support staff.

Common Problems

I am getting prompted for MFA at every logon.

This problem may be due to a browser setting. Check to see if your browser is set to clear cookies every time it is closed. This setting will cause this behavior. Using incognito browsing will also prompt for MFA each time you log in.

I did not get an SMS text message with a code.

The quick fix is to install and configure the Microsoft Authenticator Setup.

Verify that you can receive text messages on your phone by having a friend or co-worker text you. If you have not received their texts, there is a problem with your phone or cell service. If not, you may still have a problem if you have configured your phone to block texts from unknown numbers. SMS (text messages) for MFA can result in intermittent, persistent, and difficult-to-diagnose problems. If you have trouble authenticating, please contact the Technology Support Center.

I did not get a push notification from the Microsoft Authenticator app.

You must have internet service for the push notification to work. Having your phone on Do Not Disturb or Focused mode may also prevent the notification from being displayed. Occasionally, you may need to manually open the Microsoft Authenticator app first for the popup to appear.

If you still have not received the push notification, you may sign in another way from the authentication prompt. You can then choose to use a verification code. To retrieve the code, open the Microsoft Authenticator app and tap on your account. You will see a six-digit code that rotates every 30 seconds that will be used to verify your identity.

If you continue to have trouble authenticating, please contact the Technology Support Center.