Information Technology Services
In the ongoing effort to keep student, employee, and University information secure, Information Technology Services (ITS) is implementing Multi-Factor Authentication (MFA, also known as 2-step Authentication) in the MSU Denver Office 365 environment. MFA is a Microsoft-delivered feature which allows an enrolled user to better protect their account by requiring additional authentication steps when logging in. This feature will be applied to all faculty and staff accounts by the end of the year, and will be available for students on request.
Please visit the ITS Knowledgebase for detailed instructions on configuring and using MFA.
MFA will be applied to all faculty and staff accounts by department on the following weekly schedule:
Q: What services will be protected by MFA?
A: MFA will apply to all services below. Please note this list is subject to change as services are added to Office 365 Single Sign-on.
- Your Office 365 email account through the web.
- Office 365 collaboration applications, such as Outlook, Skype for Business, and Teams.
- Office 365 OneDrive, and any Office 365 client applications that integrate with it, such as Word, Excel, and PowerPoint.
- MSU Denver web services integrated with office 365 Single Sign-on, such as Blackboard, RAVE, Slate, and Academic Works.
Q: How often will I need to use my second authentication factor?
A: The frequency of MFA prompts will depend on the applications and devices being used. Typical single-computer users on the web version of Outlook should only receive a login prompt once a day, while users on a client version of Outlook (either desktop or mobile app) may see prompts more infrequently. Remember that the Office 365 Single Sign-on service allows your login session to persist between applications, e.g. if you're logged in to Blackboard and your session is still active (you haven't logged out or timed out due to inactivity), you can open Outlook on the web on the same device without a second login prompt. ITS plans to whitelist campus network locations and the MSU Denver WiFi network after the implementation for faculty and staff is complete; after this, users will only be prompted to use their second authentication factor on unsecured or off-campus networks.
Q: Whose accounts will have MFA enabled?
A: MFA will be enabled for all faculty and staff accounts by the end of 2020 (please see the implementation timeline above). Additionally, any interested student can request MFA be enabled on their account. If you would like to do so, please contact the ITS Helpdesk at 303-352-7548 or support.msudenver.edu.
Q: How do I update my MFA settings after I've set it up?
A: Please visit our Knowledgebase page on MFA for instructions.
Q: Other organizations let me get a code via SMS text message. Why can't I set up MFA that way here?
A: The National Institute of Standards and Technology (NIST) recently published NIST Special Publication 800-63: Digital Identity Guidelines which has put both phone- and SMS-based One Time Password (OTP) options on a restricted list, noting that the rise in phone SIM card hijacking has made these authentication methods insecure. The MSU Denver Information Security team has determined phone-based OTP is an acceptable risk but have chosen not to accept the risk of SMS OTP in our environment. In the event phone-based OTP is deprecated by NIST, a migration plan will be created to move anyone using phone-based OTP to an acceptable authentication method.
Q: Can I use my Skype for Business phone number as my second authentication factor?
A: Yes. However, anyone who works offsite should keep their second authentication factor in mind. Ideally, you should have more than one authentication method set up to make sure you can always verify a second authentication factor no matter where you are. Additional authentication factors can be set up by accessing your Office 365 account online, then navigating to My Account > Security & privacy > Additional security verification.
Q: Can I set up more than one authentication method?
A: Yes, and ITS strongly encourages it! We recommend setting up a personal phone (either via call or mobile app) as well as your Skype for Business phone. Additional authentication factors can be set up by accessing your Office 365 account online, then navigating to My Account > Security & privacy > Additional security verification.
Q: What if I don't have a cell phone, or don't want to use my cell phone?
A: Cell phones are commonly used in MFA environments because they have their own security and are generally associated with an individual, allowing them to function as a digital ID badge. While you could use a static phone number instead, this may create situations where you are unable to access your account if you are unable to access this phone.
Q: How do I set up the Microsoft Authenticator app?
A: Please visit Microsoft's website for detailed instructions on how to set up the Microsoft Authenticator app.
Q: Can I use a different authenticator app than the one provided by Microsoft?
A: While Microsoft supports the Microsoft, Google, and Duo authenticator apps, MSU Denver IT Services only supports the Microsoft authenticator app. Other apps may work, but are not supported.
Q: What happens if I deny a prompt for approval from the Microsoft Authenticator app?
A: When you select the 'Deny' action on an approval prompt, you are indicating that someone other than you has gained access to your password and is attempting to log in to your account. If this happens, your account will be locked for 24 hours. Therefore, we only recommend selecting the 'Deny' action if you believe both your password and one of your second authentication factors have been compromised. Otherwise, it may be preferable to allow the notification to expire, change your password, and contact ITS instead.
Q: If I authenticate with a personal phone number, will I be charged for the call?
A: Please check with your service provider.
Q: If I authenticate with the Microsoft Authenticator app, will I be charged for the data use?
A: Please check with your service provider.
- Knowledgebase page on MFA
- Timeline of MFA Implementation - Searchable PDF version
- Set up 2-step verification for Office 365
- Use Microsoft Authenticator with Office 365