What is Multi-Factor Authentication (MFA)?
Multi-factor authentication is a process where you are asked to provide multiple forms of identification, such as a password and a code from your cellphone.
The use of multiple forms of identification protects your account in case your password is leaked or hacked, because the hacker does not have your additional forms of identification.
Multi-Factor Authentication works by requiring two or more of the following authentication methods:
- Something you know, typically a password.
- Something you have, a trusted device like a phone or hardware key.
- Something you are, biometrics such as a fingerprint or face scan.
MFA registered accounts are up to 99.9% less likely to be compromised.
All faculty, staff, students, and university partners/contractors who receive a university account must use MFA.
Microsoft Authenticator (Preferred Method)
- Microsoft authenticator is the preferred solution for approving MFA requests. It provides simple push notifications so the user does not have to enter codes into the authentication dialogue, and can generate 6 digit TOTP codes if needed.
- Users can receive text messages / SMS containing codes they an enter to approve the authentication.
- Users can register a cell or landline phone number to receive call that prompts them to approve the authentication.
Trusted devices and Locations
To make MFA rollout as smooth as possible, we have created two scenarios where your location or device will act as the additional authentication factor for MFA:
- Logins from on-campus will not receive an additional MFA challenge (satisfied with something you know and somewhere you are).
- Logins from University owned and managed machines will not require an MFA challenge (please contact firstname.lastname@example.org to use this option).
Other Time-based One-time Password algorithm (TOTP) Authenticators
MFA works with any 3rd party authenticator that uses the TOTP protocol. This allows users to use an existing TOTP authenticator they may already have for their bank, personal email account, or video game service. While the University allows the use of third party applications as an MFA factor, we cannot provide support due to the variety of solutions out there.
- Mobile TOTP Applications: Authenticator apps such as Google Authenticator, Last Pass, DUO, and Authy are all compatible with Microsoft MFA. Several authenticator apps are also available for Android Wear and the Apple Watch.
- Desktop TOTP Applications: Desktop applications such as WinOTP Authenticator for Windows, Step Two for MacOS, and KeePassXC for Linux (and other platforms).
- Web Based TOTP Applications: Web services such as Authy can provide TOTP generation. Some of these web services also have companion apps for mobile and desktop devices.
- Hardware TOTP Tokens: Stand-alone TOTP authenticators are generally available and will work with Microsoft MFA. YubiKeys are also supported, though they require use of the Yubico Authenticator to generate TOTP codes.
Single Factor only Applications (POP, IMAP, SMTP)
- Microsoft MFA can support application passwords to allow users to continue to use legacy mail applications that communicate using POP, IMAP, and SMTP. Clients using these protocols were not created to handle a multi-factor authentication dialogue, so application specific passwords (single factor passwords that are only usable for POP, IMAP, and SMTP) are required. To use application passwords, please contact email@example.com . This configuration will require you to always use two factor for all new authentications (with a 90 day renewal frequency), regardless of location or device management.
You can update your authentication methods here.
Click on "Add Method" and add whichever method you wish.
If a user is in need of special accommodation, please contact firstname.lastname@example.org. We are happy to work with you to get your personal device or adaptive technology configured to seamlessly support MFA.