Setting up MFA

Questions, Answers, Setup and Changes

March 2021

 

Questions and Answers

Multi-Factor Authentication (MFA) – what is it?

MFA is a powerful security tool to help keep your account safe by adding an additional layer of verification beyond your StarID and password.  MFA will first be used when logging into your Microsoft Office 365 account.

How does MFA actually work?

The first time you open Office 365 applications and resources on your desktop, mobile device, or using a web-based browser, it will ask for your Login ID and password. 

If you are a student, use STARID@go.minnstate.edu

Faculty and staff, use STARID@minnstate.edu

 

You will then be prompted by the system letting you know there is additional information needed – this starts MFA verification when you click “Next.”

Depending on which ways you want MFA to validate your login, the system will prompt how it is contacting you to verify it’s really you logging in.

There’s more than one way to use MFA?

Yes!  There are several options for using MFA, and multiple authentication methods can be implemented at the same time for the same account holder.

1. Mobile Devices

Apple iPhones and iPads, Android phones and tablets, and Chromebooks are considered mobile devices. Depending on the capabilities of your particular device, some or all of the methods below can be used.

1. Microsoft (MS) Authenticator App - Recommended
2. Text message receiving MFA code
3. Third party authentication app, such as Google or Lastpass
4. Voice call saying MFA code*

2. Voice-Capable Devices*

Any device that can receive a phone call and answered in real-time is considered a voice-capable device. Examples are:

1. Any physical phone at home or work, connected to telephone line or internet connection for voice calls.
2. A non-physical “softphone,” such as software installed on your computer, an app on your mobile device, or through a web browser, can be used.

• As long as the incoming call can be answered “live,” you can use voice calling as a method. You should NOT use a “shared” phone that can be accessible by several people, such as a department’s main phone number.

 

Do I pick just one MFA method?

You can choose more than one method and more than one device to use MFA.  In fact, it is recommended to use at least two (2) different methods and, if at all possible, two (2) different devices, using the second device as an emergency backup in case your primary method or device fails or you simply forgot your device at home. Examples:

 

1. Use the MS Authenticator app on your primary device you have with you all the time (mobile phone, iPad, etc.) and set up text messaging for the MFA code on a secondary device, like your spouse’s or trusted family member’s device.

2. Set up texting on your primary device, then set up voice call on your secondary device, like your work or home voice line.

It is recommend to use the MS Authenticator app as your primary authentication method.

 

Does my device used for MFA always have to be connected?

“Connection” means the ability for the device to receive inbound communications.For mobile devices, it does not matter if the device uses cellular or wireless (WiFi) connectivity.For phones, it can be traditional phone line, wired, or WiFi connectivity.

After initial set up for the device, requiring a connection, some methods can be used while disconnected, or “offline.”These include the MS Authenticator or other third party apps that support offline code generation, such as Google Authenticator or Lastpass Authenticator.

Text messaging, voice calls, and MS Authenticator’s Notifications require connection.

     

None of these methods will work for me.  What should I do?

If you don’t believe any of the options for MFA will work due to your unique situation, please contact <College.University Name>’s IT <Department.Service Desk> to discuss – there are some additional methods that could work for you!

 

What if I have other questions or encounter issues with MFA?

IT is here to help.  We want this experience to be easy for you.  If you have any questions, have trouble setting up MFA, or have issues after successfully using MFA, please contact us.

 

BEFORE YOU BEGIN

To successfully set up MFA, you should:

1. Review, understand the set up, and pick which MFA method(s) you will be using.

2. Know what methods each device can support you want to use for MFA.

* It is recommend to set up at least two different methods and, if at all possible, two different devices.  Remember you can Mix ‘N Match and have MFA configured on multiple devices!

(If two different devices is not possible, use at least two different methods on your primary device.)

3. Prepare to have all the devices available and connected to your cellular, WiFi, or other connection to successfully confirm enabling MFA for that device.

• IF using a an authenticator app on your mobile device, such as the MS Authenticator app, download and install the app from Apple’s App Store or Google’s Play Store before starting the MFA process.
• IF using a spouse or trusted relative’s mobile phone as a secondary device, you do NOT have to have it in your possession.  You can voice or video call with them and walk them through what needs to be configured on their device. 
• IF you selected receiving a voice call on a phone, you will need to have it in your possession to answer the call.  MFA does not work leaving a message on voicemail or any other kind of automated responses to the call.

 

 

First-Time Setup Wizard

New Accounts

If you have not logged into your account before, the MFA Setup Wizard will guide you in setting up MFA for your account. 

Existing Accounts

If already had an account and did not set up and enable MFA yourself before it was enabled for you, the MFA Setup Wizard will appear to complete MFA setup the next time you login to Office 365. Even if you are already logged in, the MFA Setup Wizard will appear at some point to have you complete MFA.

Notice

You need to complete the MFA Wizard before you can access your emails and other information in Office 365.  If you do not complete the Wizard successfully or cancel the Wizard, you will not be able to access your emails, files, or applications in Office 365 until MFA is successfully configured and verified.

Instructions for the MFA First-Time Setup Wizard can be found HERE or copy and paste the following link into your browser

https://mnscu.sharepoint.com/:w:/s/SO-SecurityTeam/EZauFXGg0EZPuCZmKUzY7K4BQcOa8tm01z1UxZbYjohb0g?e=kXHjAq

 

Changes to MFA

Need to add additional verification methods or make changes?

You can add additional way to use MFA, and you can use more than one way at the same time to ensure you are able to use MFA in case any issues are encountered on the primary method you picked.

Also, there may be times when you need to change information in MFA.Good examples are if you changed or mobile or office phone number, or need to set up the Authenticator app on a new mobile device you have.

To add or make changes to MFA, click HERE or open an internet browser and go to https://aka.ms/mfasetup. If you are not already signed in with your account, the page will prompt you to login.  Once you are logged in, it will open two (2) tabs or windows.  Click on the “Additional security verification” tab to make additions or changes.

Select your “Preferred method”

Selecting your preferred method lets MFA know which method to use first before using the other methods you have configured.Simply click on the drop-down list and click on your preferred method.

*As stated earlier, it is recommend to use the MS Authenticator app as your primary authentication method.

Note below are all of the MFA methods available and you can “Set up one or more of these options.”

To set up all of the methods you want to use, simple click on the check box and enter the necessary information. For an authenticator app or in rare instances where a physical security token is necessary (discuss with IT first), an additional dialogue will appear (below).

Method #1 – Microsoft Authenticator app

1. Have MS Authenticator downloaded and installed on the mobile device(s) you will be setting up Authenticator on.

2. On the “Additional Security Verification” page, select “Notify me through app” as your Preferred method.

3. Click the check box for “Authenticator app or Token,” then click on “Set up Authenticator app.”

You will now see the Authenticator App screen displayed:

4. Open MS Authenticator on your device, and use the camera to take a picture of QR code displayed on your device!

            If the QR code does not work, you can manually enter the information below the QC code

5. MFA will now send a verification message with an “Approve or Deny” to your device.  Click on “Approve” to verify.

 

6. If you prefer to use the code generated by MS Authenticator as your primary method, select “Use verification code from app or token.”

You can register MS Authenticator on more than one device, repeating the steps above.

Method #2 – Text Message Authorization Code

1. On the “Additional Security Verification” page, select “Text code to my authentication phone” as your Preferred method.

2. Click the check box for “Authentication Phone,” then enter your device phone number.

3. MFA will now send a code to your device you will need to enter on the MFA.  Enter the code on the “Verifying phone” dialogue and click on “Verify.”

Method #3 – Enter generated code from app

1. Have the Microsoft Authenticator or third-party authenticator app downloaded and installed on the mobile device(s) you will be setting up MFA on.

2. On the “Additional Security Verification” page, select “Use verification code from app or token” as your preferred method.

3. Check the box on “Authenticator app or Token, then click on “Set up Authenticator app”

4. Next to the QC code, click on “Configure app without notifications,” which will update the QC code and other information. 

5. Once the QR information has changed, use the camera to take a picture of the QC code.

IMAGE (11 on server)           

If the QR code does not work, you can manually enter the information below the QC code.

6. A dialogue will prompt you to “Enter the verification code displayed on your app.”  Enter the code generated from your device, then click on “Verify.”

Method #4 – Calling your Authentication phone

1. Have your primary device you will be receiving MFA voice call available.
2. On the MFA setup page, select “Call my Authentication phone” as your preferred option.
3. Check the “Authentication phone” check box and enter your device’s phone number.
4. An MFA dialogue will appear, prompting “Verifying phone:  Answer it to continue…”
5. The incoming MFA call will display “RESTRICTED” on your device.
6. Answer the call and listen to instructions, press the requested key or key combination to validate your phone.

Method #5 – Calling your Office Phone

1. Have your office phone you will be receiving MFA voice call available.
2. On the MFA setup page, select “Call my Office phone” as your preferred option.
3. Check the “Office phone” check box and enter your device’s phone number.  If you have a personal (not shared) extension, please enter it in the “Extension” field.
4. An MFA dialogue will appear, prompting “Verifying phone:  Answer it to continue…”
5. The incoming MFA call will display “RESTRICTED” on your device.
6. Answer the call and listen to instructions, press the requested key or key combination to validate your phone.

NOTE: The “Office phone” information will NOT be validated if you do not use it as your preferred option.  However, you can use it as an alternate method. 

To ensure everything is working properly, it is recommended you validate using your Office phone setup using the “Sign in a different way” instructions, which is part of the “Using MFA” documentation, found HERE.

Additional Methods

There are additional ways to have MFA work for you if none of the methods are available.Please contact <College.Unversity Name>’ IT <Department.Service Desk> to discuss your situation.

Alternate Authentication Phone

It is strongly recommended to set up a second device as an alternate authentication phone to ensure you will still be able to use MFA in the event

• Your primary devices app or the device itself stops working.
• Your device gets damaged, lost, or stolen.   
• You simply forgot your device at home.

1. On the MFA setup page, check the “Alternative authentication phone” check box, select the “Country Code” then enter the phone number.
2. Check the “Office phone” check box and enter your device’s phone number.  If you have a personal (not shared) extension, please enter it in the “Extension” field.

NOTE: The Alternate authentication phone information will NOT be validated when you save your MFA settings. 

1. Verify you have selected the correct “Country Code” and phone number you wish to use.
2. To ensure everything is working properly, it is recommended you work with the owner (spouse or trusted family member) of the Alternate authentication phone to verify it is set up correctly, using the “Sign in a different way” instructions, which is part of the “Using MFA” documentation, found HERE.

Save!

1. Once you have everything set up, click on “Save”
2. You will be brought to your Microsoft Office 365 account page
3. Close both the Microsoft Account and MFA pages.

Always be on your guard!

Even with MFA, criminals and bad actors will try ways to scam you!

1. NO ONE, including <College.University Name> will ever call you to ask to press “Approve” on a notification or to give them your Authenticator app or texted code.  NEVER GIVE OUT THIS INFORMATION. 
2. THINK BEFORE YOU AUTOMATICALLY APPROVE. If you were not logging into your account yourself, and were not expecting it…

1. DO NOT ANSWER an “Approval” request coming from your Authenticator app.
2. DO NOT ENTER THE REQUEST KEY(S) if you receive a voice call on your mobile device, office, or alternate phone.  Ensure your spouse or trusted family doesn’t automatically enter the key(s) without checking with you first.