Information Technology Services
Multi-Factor Authentication (MFA)
Multi-Factor Authentication (MFA, also known as 2-step authentication) is a Microsoft-delivered account security feature which allows enrolled users to better protect their MSU Denver NetID by requiring additional authentication steps when logging in, such as approving a push notification on a smartphone or entering a code received from a phone call.
This feature is being implemented on all faculty and staff accounts as part of the Multi-Factor Authentication initiative. If you are a student and would like to have MFA enabled on your MSU Denver NetID, please contact the MSU Denver Helpdesk.
Once your NetID has been enrolled in MFA, use the following steps to set up your additional authentication factors and ensure the best experience with the feature.
1) The first time you log in after your NetID has been enrolled in MFA, you will be greeted with a prompt indicating the system requires more information to keep your account secure. Click Next. (Note: This is a similar screen to what you might see when setting up account recovery, but these are different features.)
2) On the next screen, you will be prompted to set up additional security verification. ITS recommends setting up more than one of the available options, ensuring you have a backup option(s) in case your preferred option is unavailable. The available options include:
- Authentication Phone: You will receive a phone call at this number each time your account needs to authenticate.
- Office Phone: Similar to the Authentication Phone option, you will receive a phone call at this number each time your account needs to authenticate.
- Mobile App: You will need to enter a verification code from your chosen authenticator mobile app (ex. Microsoft Authenticator, Google Authenticator, Duo Mobile) each time your account needs to authenticate. If you are using the Microsoft Authenticator app, you can instead receive a push notification which you can simply tap 'Approve' on. Microsoft Authenticator is currently the only app supported by MSU Denver IT Services.
3) If you chose the Mobile App option, make sure you have an authenticator app installed (please visit Microsoft's support website for detailed instructions on setting up the Microsoft Authenticator app), then follow the prompts on the page to add your account to the app and verify the authentication works.
Follow these instructions if you would like to add, remove, or update an authentication method, or change which authenticator your account uses by default.
1) Log in to your Office 365 account through a web browser.
2) Click the bubble in the top-right corner of the window where either your picture or your initials are displayed, then choose My Account.
3) On the next page, select Security & privacy on the left.
4) Select the Additional security verification to expand those options, then select Update your phone numbers used for account security.
5) The next screen will allow you to set the default option that your account will ask for when you log in, as well as add new contact options, or update or remove existing ones.
ITS recommends the following:
- Set up more than one of the available options, ensuring you have a backup option(s) in case your preferred option is unavailable.
- Add your office phone in the "Alternate authentication section" (the integrated "Office phone" option does not work at this time).
Q: What services will be protected by MFA?
A: MFA will apply to all services below. Please note this list is subject to change as services are added to Office 365 Single Sign-on.
- Your Office 365 email account through the web.
- Office 365 collaboration applications, such as Outlook, Skype for Business, and Teams.
- Office 365 OneDrive, and any Office 365 client applications that integrate with it, such as Word, Excel, and PowerPoint.
- MSU Denver web services integrated with office 365 Single Sign-on, such as Blackboard, RAVE, Slate, and Academic Works.
Q: How often will I need to use my second authentication factor?
A: The frequency of MFA prompts will depend on the applications and devices being used. Typical single-computer users on the web version of Outlook should only receive a login prompt once a day, while users on a client version of Outlook (either desktop or mobile app) may see prompts more infrequently. Remember that the Office 365 Single Sign-on service allows your login session to persist between applications, e.g. if you're logged in to Blackboard and your session is still active (you haven't logged out or timed out due to inactivity), you can open Outlook on the web on the same device without a second login prompt. ITS plans to whitelist campus network locations and the MSU Denver WiFi network after the implementation for faculty and staff is complete; after this, users will only be prompted to use their second authentication factor on unsecured or off-campus networks.
Q: How do I set up MFA once ITS has enabled it on my account?
A: Please see the section above titled How to Configure MFA.
Q: How do I update my MFA settings after I've set it up?
A: Please see the section above titled How to update your MFA information.
Q: Other organizations let me get a code via SMS text message. Why can't I set up MFA that way here?
A: The National Institute of Standards and Technology (NIST) recently published NIST Special Publication 800-63: Digital Identity Guidelines which has put both phone- and SMS-based One Time Password (OTP) options on a restricted list, noting that the rise in phone SIM card hijacking has made these authentication methods insecure. The MSU Denver Information Security team has determined phone-based OTP is an acceptable risk but have chosen not to accept the risk of SMS OTP in our environment. In the event phone-based OTP is deprecated by NIST, a migration plan will be created to move anyone using phone-based OTP to an acceptable authentication method.
Q: Can I use my Skype for Business phone number as my second authentication factor?
A: Yes. However, anyone who works offsite should keep their second authentication factor in mind. Ideally, you should have more than one authentication method set up to make sure you can always verify a second authentication factor no matter where you are. Additional authentication factors can be set up by accessing your Office 365 account online, then navigating to My Account > Security & privacy > Additional security verification.
Q: Can I set up more than one authentication method?
A: Yes, and ITS strongly encourages it! We recommend setting up a personal phone (either via call or mobile app) as well as your Skype for Business phone. Additional authentication factors can be set up by accessing your Office 365 account online, then navigating to My Account > Security & privacy > Additional security verification.
Q: What if I don't have a cell phone, or don't want to use my cell phone?
A: Cell phones are commonly used in MFA environments because they have their own security and are generally associated with an individual, allowing them to function as a digital ID badge. While you could use a static phone number instead, this may create situations where you are unable to access your account if you are unable to access this phone.
Q: How do I set up the Microsoft Authenticator app?
A: Please visit Microsoft's website for detailed instructions on how to set up the Microsoft Authenticator app.
Q: Can I use a different authenticator app than the one provided by Microsoft?
A: While Microsoft supports the Microsoft, Google, and Duo authenticator apps, MSU Denver IT Services only supports Microsoft's authenticator app. Other apps may work, but are not supported.
Q: What happens if I deny a prompt for approval from the Microsoft Authenticator app?
A: When you select the 'Deny' action on an approval prompt, you are indicating that someone other than you has gained access to your password and is attempting to log in to your account. If this happens, your account will be locked for 24 hours. Therefore, we only recommend selecting the 'Deny' action if you believe both your password and one of your second authentication factors have been compromised. Otherwise, it may be preferable to allow the notification to expire, change your password, and contact ITS instead.
Q: If I authenticate with a personal phone number, will I be charged for the call?
A: Please check with your service provider.
Q: If I authenticate with the Microsoft Authenticator app, will I be charged for the data use?
A: Please check with your service provider.
Last Update: September 2019
If you have additional questions, concerns, or need immediate assistance - Please contact the MSU Denver Helpdesk.