Why do I have to have Multi Factor Authentication enabled on my account?
Azure Multi-Factor Authentication (MFA) helps safeguard access to data and applications while maintaining simplicity for you the end user. It provides additional security by requiring a second form of authentication and delivers strong authentication via a range of easy to use authentication methods. The security of two-step verification lies in its layered approach. Compromising multiple authentication factors presents a significant challenge for attackers. Even if an attacker manages to learn the user's password, it is useless without also having possession of the additional authentication method. It works by requiring two or more of the following authentication methods:
- Something you know (typically a password)
- Something you have (a trusted device that is not easily duplicated, like a phone)
- Something you are (biometrics)
What happens to my mobile number and who has access to this?
Your mobile device number is secure stored within CIT's office 365 tenant and is only used for the purpose of your account security.
How do I update to a new phone number?
Directly within the Office 365 portal once signed in select the cog wheel in the top right hand corner, from within the search bar type 'MFA' and select the option 'Additional Security Verification' from the drop down select 'Update your phone numbers used for account security' When the new tab opens to the additional security verification section, you can then update your mobile device number.
I want to change from using the text message method to the app method. is this possible?
Yes, absolutely you can change the verification method at anytime. Similar to the method used in 'How do I update to a new phone number' select the cog wheel in the top right hand corner, from within the search bar type 'MFA' and select the option 'Additional Security Verification' from the drop down select 'Update your phone numbers used for account security' When the new tab opens to the additional security verification section. Select the checkbox for Authenticator app or token and select 'Set Up Authenticator app' Follow the setup steps outlined in the how to here.
I want to change from using the app method to the text message method. is this possible?
Yes, absolutely you can change the verification method at anytime. Similar to the method used in 'How do I update to a new phone number' select the cog wheel in the top right hand corner, from within the search bar type 'MFA' and select the option 'Additional Security Verification' from the drop down select 'Update your phone numbers used for account security' When the new tab opens to the additional security verification section. Untick the checkbox for Authenticator app or token and Follow the setup steps outlined in the how to here.
Will I continually have to use MFA all the time?
While on the corporate CIT network, MFA is not required, but should you access any of your Office 365 services from anywhere else you will be challenged for MFA, this also includes CIT WiFi network Eduroam.
I want to manage my devices that have the MFA authenticator app installed on them, is this possible?
Yes, it is possible to view and or edit the listing of devices that you have setup for using the Microsoft Authenticator app on. Within the Office 365 portal once signed in select the cog wheel in the top right hand corner, from within the search bar type 'MFA' and select the option 'Additional Security Verification'. From within the new window you will see a listing of devices that have the authenticator app installed. From here you have the ability to delete any of these devices.
What data does the Authenticator store on my behalf and how can I delete it?
The Microsoft Authenticator app collects three types of information:
- Account info you provide when you add your account. This data can be removed by removing your account.
- Diagnostic log data, which resides only in the app until you choose to Send Logs to Microsoft through the app's Help menu. These log files contain personal data, like your email addresses (such as, email@example.com), server/IP addresses, and device data (such as, device name and operating system version), with the personal data limited to info necessary to help troubleshoot app issues. You can view these log files in the app at any time to see the info being gathered. If you send the log files, the Authentication app engineers can use it to troubleshoot customer-reported issues.
- Non-personally identifiable usage data, such “started add account flow/successfully added account,” or “notification approved.” This data is an integral part of our engineering decisions and helps us determine what features are important to you, and where improvements need to be made in the form of updates to the apps. You, as an app user, see a notification of this data collection on first launch of the app, and are informed that it can be turned off on the app’s Settings page. You can enable or disable this setting at any time.
Do I need to be connected to the Internet or my network to get and use the verification codes?
The codes don't require you to be on the Internet or connected to data, so you don't need phone service to sign in. Additionally, because the app stops running as soon as you close it, it won't drain your battery.
Why does the Microsoft Authenticator app allow you to approve a request without unlocking the device?
You don't have to unlock your device to approve verification requests because all you need to prove is that you have your phone with you. Two-step verification requires proving two things – a thing you know, and a thing you have. The thing you know is your password. The thing you have is your phone (set up with the Microsoft Authenticator app and registered as an MFA proof.) Therefore, having the phone and approving the request meets the criteria for the second factor of authentication.
Why do I get so many prompts to approve my login to Office 365 applications?
Since the main goal of multi-factor authentication is to prevent someone who isn't you from logging into your accounts, the process requires that you approve the login whenever you sign in differently than you did last time. Differently could mean from a different device (mobile phone, home computer, office computer, etc.), a different Web browser, or even a different Office 365 application (OneDrive, Outlook, etc.). Even if you have checked the "don't remind me again for 14 days" option on the login screen if you were prompted, the 14-day grace period only applies to that particular device, application, and browser.
Should I always approve/accept/allow the login prompt?
No. If you are prompted to approve a sign in but haven't tried to sign into anything, there is the possibility that there was an application that automatically started with your password saved attempting to log in, or your sign-in attempt was sent twice (e.g. refreshing a log in page).
If the sign in request appears during a time where you have not attempted to sign in or open applications recently, it may be someone else attempting to access your account without your permission. If you are ever unsure, click deny and contact the Service Desk if you have any questions or concerns regarding your account.