Skip to main content Skip to main content

Multi-Factor Authentication (MFA)

Multi-Factor Authentication (also known as MFA or 2-step authentication) is an account security feature which allows enrolled users to better protect their MSU Denver NetID by requiring additional authentication steps when logging in, such as approving a push notification on a smartphone or entering a code received from a phone call.

This feature is being implemented on all MSU Denver accounts as part of the Multi-Factor Authentication initiative. MFA has already been implemented on all faculty and staff accounts, and will be implemented on all student accounts before the beginning of the Fall 2020 semester. For more details on the student implementation schedule, please check the Multi-Factor Authentication initiative page.

If you would like MFA enabled on your account before your scheduled activation date, please fill out the MFA Opt-In Form.


Microsoft Authenticator App

Icon for Microsoft Authenticator

IT Services strongly recommends using the Microsoft Authenticator app as your preferred MFA authenticator. The benefits of the app include:

  • Convenient, one-touch push notifications to verify sign-in.
  • A changing key token that can be used even when your device has no connectivity.
  • Simple, lightweight installation on a smartphone or tablet.

How to set up MFA for the first time using the Authenticator App

1) The first time you log in after your NetID has been enrolled in MFA, you will be greeted with a prompt indicating the system requires more information to keep your account secure. Click Next. (Note: This is a similar screen to what you might see when setting up account recovery, but these are different features.)

Prompt for additional information when logging in for the first time with MFA enabled

 

2) On the next screen, you will be prompted to set up additional security verification. Select Mobile App from the drop-down menu, then select how you want to use the mobile app. ITS recommends the Receive notifications for verification option.

Menu options when setting up MFA for the first time

 

3) Click the Set up button to be taken to a screen that will allow you to configure the mobile app. Leave this screen open while you set up the app on your device.

Mobile app configuration step when setting up MFA for the first time

 

4) On your mobile device, go to your app store, then search for and install the Microsoft authenticator app. Allow the app to have the required permissions when prompted.

5) Use the app to scan the QR code from your computer screen. This will add your account to the app and complete the setup. (You can also manually enter the text from the above screen into the app to add your account).

You can adjust your MFA settings at any time from within your MSU Denver Office 365 account, including what method(s) you use as your second authentication factor. If you have multiple authenticators, you can also select which one you are normally prompted for when logging in.

 

1) Log in to your MSU Denver email account through a web browser.

2) Click the bubble in the top-right corner of the window where either your picture or your initials are displayed, then choose My Account.

Appearance of the O365 menu when clicking the portrait or initials

 

3) On the next page, find the Security info panel and select Additional Security Verification.

Appearance of the O365 My Account menu

 

4) On the next screen, beneath "what's your preferred option?", select Notify me through app from the drop-down menu.

5) Check the Authenticator app or token box, then click Set up Authenticator app.

 

Options menu to change MFA settings

 

6) The next screen that will allow you to configure the mobile app. Leave this screen open while you set up the app on your device.

Mobile app configuration step when setting up MFA for the first time

 

7) On your mobile device, go to your app store, then search for and install the Microsoft authenticator app. Allow the app to have the required permissions when prompted.

8) Use the app to scan the QR code from your computer screen. This will add your account to the app and complete the app setup. (You can also manually enter the text from the above screen into the app to add your account).

9) Back on your computer, click Next, then click Save at the bottom of the window.

10) In the next window, click Verify preferred option.

Example prompt when changing to use the Microsoft Authenticator for MFA

 

11) Look for the sign-in approval notification on your device. Once you receive it, press Approve.

Example prompt when approving an MFA notification from the Microsoft Authenticator app

12) A final window will notify you if the authentication was successful.

ITS encourages listing an alternate phone number or registering the mobile app on a second device (e.g. tablet) so you have a backup authenticator available if something happens to your primary device. You can update these settings at any time as your phone numbers or devices change.

 

1) Log in to your MSU Denver email account through a web browser.

2) Click the bubble in the top-right corner of the window where either your picture or your initials are displayed, then choose My Account.

Appearance of the O365 menu when clicking the portrait or initials

 

3) On the next page, find the Security info panel and select Additional Security Verification.

Appearance of the O365 My Account menu

 

4) On the next screen, check the box next to Alternate authentication phone.

5) Select your country code, then type your 10-digit phone number.

Screenshot of MFA setup menu for setting up additional phone numbers

 

6) Click Save to submit your changes.

The Microsoft Authenticator app can also work like a hardware token. When you open the app on your device, it displays a 6-digit code that changes every 30 seconds. This code is always synced to your account, even if your phone has no connectivity, so you can use this code to sign in at any time.

1) At the MFA verification screen, click "Sign in another way".

Prompt received when MFA is enabled on an O365 account

 

2) The next screen will display all authentication methods you've set up at that point. Select "Use a verification code from my mobile app".

Menu for selecting alternate authentication factors, if more than one is set up

 

3) Open the Authenticator app on your device and find the current 6-digit code being displayed.

4) Type the current 6-digit code into the Enter Code screen, then click Verify.

If you have set up a backup authenticator, you can use select that authenticator whenever you log in by clicking the "Sign in another way" link.

Prompt received when MFA is enabled on an O365 account

 

The screen that follows will let you select from any authentication method you've set up at that point.

Menu for selecting alternate authentication factors, if more than one is set up

 

If you have not set up a backup, or none of your backups available, please contact the ITS Service Desk at 303-352-7548 for assistance.

Q: What services will be protected by MFA?
A: MFA will apply to all services below. Please note this list is subject to change as services are added to Office 365 Single Sign-on.

  • Your Office 365 email account through the web.
  • Office 365 collaboration applications, such as Outlook, Skype for Business, and Teams.
  • Office 365 OneDrive, and any Office 365 client applications that integrate with it, such as Word, Excel, and PowerPoint.
  • MSU Denver web services integrated with office 365 Single Sign-on, such as Blackboard, RAVE, Slate, and Academic Works.

Q: How often will I need to use my second authentication factor?
A: Campus network locations and the MSU Denver WiFi network are whitelisted for MFA, so users are only prompted to use their second authentication factor on unsecured or off-campus networks. In these situations, the frequency of MFA prompts will depend on the applications and devices being used. Typical single-computer users on the web version of Outlook should only receive a login prompt once a day, while users on a client version of Outlook (either desktop or mobile app) may see prompts more infrequently. Remember that the Office 365 Single Sign-on service allows your login session to persist between applications, e.g. if you're logged in to Blackboard and your session is still active (you haven't logged out or timed out due to inactivity), you can open Outlook on the web on the same device without a second login prompt.

Q: Other organizations let me get a code via SMS text message. Why can't I set up MFA that way here?
A: The National Institute of Standards and Technology (NIST) recently published NIST Special Publication 800-63: Digital Identity Guidelines which has put both phone- and SMS-based One Time Password (OTP) options on a restricted list, noting that the rise in phone SIM card hijacking has made these authentication methods insecure. The MSU Denver Information Security team has determined phone-based OTP is an acceptable risk but have chosen not to accept the risk of SMS OTP in our environment. In the event phone-based OTP is deprecated by NIST, a migration plan will be created to move anyone using phone-based OTP to an acceptable authentication method.

Q: Can I use my Skype for Business phone number as my second authentication factor?
A: Yes. However, anyone who works offsite should keep their second authentication factor in mind. Ideally, you should have more than one authentication method set up to make sure you can always verify a second authentication factor no matter where you are. Additional authentication factors can be set up by accessing your Office 365 account online, then navigating to My Account > Security & privacy > Additional security verification.

Q: Can I set up more than one authentication method?
A: Yes, and ITS strongly encourages it! We recommend setting up a personal phone (either via call or mobile app) as well as your Skype for Business phone. Additional authentication factors can be set up by accessing your Office 365 account online, then navigating to My Account > Security & privacy > Additional security verification.

Q: What if I don't have a cell phone, or don't want to use my cell phone?
A: Cell phones are commonly used in MFA environments because they have their own security and are generally associated with one person, allowing them to function as a digital ID badge. While you could use a static phone number instead, this may create situations where you are unable to access your account if you are unable to access this phone. If you do not have a phone, please contact ITS for assistance.

Q: Can I use a different authenticator app than the one provided by Microsoft?
A: MSU Denver IT Services only supports Microsoft's authenticator app. Other apps may work, but are not supported.

Q: What happens if I deny a prompt for approval from the Microsoft Authenticator app?
A: When you select the 'Deny' action on an approval prompt, you are indicating that someone other than you has gained access to your password and is attempting to log in to your account. If this happens, your account will be locked for 24 hours. Therefore, we only recommend selecting the 'Deny' action if you believe both your password and one of your second authentication factors have been compromised. Otherwise, it may be preferable to allow the notification to expire, change your password, and contact ITS instead.

Q: If I authenticate with the Microsoft Authenticator app, will I be charged for the data use?
A: You will not be charged for data use if your device is on a WiFi connection. Otherwise, please check with your service provider.

Q: If I authenticate with a personal phone number, will I be charged for the call?
A: Please check with your service provider.

Q: I keep getting prompted to log in on certain phone/computer apps! How do I fix this?
A: Certain apps require an app-specific password to connect to your Office 365 account. Please visit Microsoft's website for more information on how to create an Office 365 app password.

Last Update: July 2020


Further Assistance


If you have additional questions, concerns, or need immediate assistance - Please contact the MSU Denver Helpdesk.


 


Edit this page