Information Technology Services
This page provides information about the ITS initiative to implement Multi-Factor Authentication (MFA) on all MSU Denver accounts. If you're looking for information on how to set up or use MFA, please check our MFA KnowledgeBase article instead.
In the ongoing effort to keep student, employee, and University information secure, Information Technology Services (ITS) is implementing Multi-Factor Authentication (also known as MFA or 2-step Authentication) in the MSU Denver Office 365 environment. MFA is a Microsoft-delivered feature which allows an enrolled user to better protect their account by requiring additional authentication steps when logging in. This feature has been applied to all faculty and staff accounts, and will applied to all student accounts before the beginning of the Fall 2020 semester.
If you are a student and would like MFA enabled on your account early, please fill out the MFA Opt-In Form.
Please visit the ITS Knowledgebase for detailed instructions on configuring and using MFA.
Multi-Factor Authentication will be implemented on student accounts in three groups:
- Newly-Accepted Students: Students who are accepted on or after July 1st will automatically have MFA enabled on their account.
- Students not Enrolled in Summer Semester: Students not enrolled in Summer classes will have MFA enabled on their accounts beginning July 15th and continuing through the end of the semester. Activations will occur in waves every other day, with each daily group being created alphabetically by username:
- A: Wednesday, July 15th
- C-D: Friday, July 17th
- E-G: Tuesday, July 21st
- H-J: Thursday, July 23rd
- K-L: Monday, July 27th
- M-P: Wednesday, July 29th
- Q-T: Friday, July 31st
- B & U-Z: Tuesday, August 4th
- Summer Students: To avoid any complications with accessing classes during the online-only Summer semester, Summer students will have MFA enabled on their accounts the week of August 10th, after Summer grades are posted but before Fall classes begin. Activations will be spread through the week, with each daily group being created alphabetically by username. An exact schedule will be posted once it's been finalized.
Q: What services will be protected by MFA?
A: MFA will apply to all services below. Please note this list is subject to change as services are added to Office 365 Single Sign-on.
- Your Office 365 email account through the web.
- Office 365 collaboration applications, such as Outlook, Skype for Business, and Teams.
- Office 365 OneDrive, and any Office 365 client applications that integrate with it, such as Word, Excel, and PowerPoint.
- MSU Denver web services integrated with office 365 Single Sign-on, such as Blackboard, RAVE, Slate, and Academic Works.
Q: How often will I need to use my second authentication factor?
A: Campus network locations and the MSU Denver WiFi network are whitelisted for MFA, so users are only prompted to use their second authentication factor on unsecured or off-campus networks. In these situations, the frequency of MFA prompts will depend on the applications and devices being used. Typical single-computer users on the web version of Outlook should only receive a login prompt once a day, while users on a client version of Outlook (either desktop or mobile app) may see prompts more infrequently. Remember that the Office 365 Single Sign-on service allows your login session to persist between applications, e.g. if you're logged in to Blackboard and your session is still active (you haven't logged out or timed out due to inactivity), you can open Outlook on the web on the same device without a second login prompt.
Q: Whose accounts will have MFA enabled?
A: MFA is currently enabled for all faculty and staff accounts. Student accounts will have MFA enabled before the beginning of Fall semester (please see the Implementation Schedule above), but any interested student can request MFA before their scheduled activation date. If you would like to do so, please fill out the MFA Opt-In Form.
Q: How do I update my MFA settings after I've set it up?
A: Please visit our Knowledgebase page on MFA for instructions.
Q: Other organizations let me get a code via SMS text message. Why can't I set up MFA that way here?
A: The National Institute of Standards and Technology (NIST) recently published NIST Special Publication 800-63: Digital Identity Guidelines which has put both phone- and SMS-based One Time Password (OTP) options on a restricted list, noting that the rise in phone SIM card hijacking has made these authentication methods insecure. The MSU Denver Information Security team has determined phone-based OTP is an acceptable risk but have chosen not to accept the risk of SMS OTP in our environment. In the event phone-based OTP is deprecated by NIST, a migration plan will be created to move anyone using phone-based OTP to an acceptable authentication method.
Q: (Faculty/Staff) Can I use my Skype for Business phone number as my second authentication factor?
A: Yes. However, anyone who works offsite should keep their second authentication factor in mind. Ideally, you should have more than one authentication method set up to make sure you can always verify a second authentication factor no matter where you are. Additional authentication factors can be set up by accessing your Office 365 account online, then navigating to My Account > Security & privacy > Additional security verification.
Q: Can I set up more than one authentication method?
A: Yes, and ITS strongly encourages it! We recommend setting up a personal phone (either via call or mobile app) as well as your Skype for Business phone. Additional authentication factors can be set up by accessing your Office 365 account online, then navigating to My Account > Security & privacy > Additional security verification.
Q: What if I don't have a cell phone, or don't want to use my cell phone?
A: Cell phones are commonly used in MFA environments because they have their own security and are generally associated with an individual, allowing them to function as a digital ID badge. While you could use a static phone number instead, this may create situations where you are unable to access your account if you are unable to access this phone. If you do not have a phone, please contact ITS for assistance.
Q: How do I set up the Microsoft Authenticator app?
A: Please visit Microsoft's website for detailed instructions on how to set up the Microsoft Authenticator app.
Q: Can I use a different authenticator app than the one provided by Microsoft?
A: MSU Denver IT Services only supports the Microsoft authenticator app. Other apps may work, but are not supported.
Q: What happens if I deny a prompt for approval from the Microsoft Authenticator app?
A: When you select the 'Deny' action on an approval prompt, you are indicating that someone other than you has gained access to your password and is attempting to log in to your account. If this happens, your account will be locked for 24 hours. Therefore, we only recommend selecting the 'Deny' action if you believe both your password and one of your second authentication factors have been compromised. Otherwise, it may be preferable to allow the notification to expire, change your password, and contact ITS instead.
Q: If I authenticate with a personal phone number, will I be charged for the call?
A: Please check with your service provider.
Q: If I authenticate with the Microsoft Authenticator app, will I be charged for the data use?
A: You will not be charged for data use if your device is on a WiFi connection. Please check with your service provider.
- Knowledgebase page on MFA
- Set up 2-step verification for Office 365
- Use Microsoft Authenticator with Office 365