MultiFactor Authentication (MFA)

There are three different types of factors.
 1. Something you know
 2. Something you have
 3. Something you are

Something you know
This is the traditional password. That is something you know. The issue with any bit of information that you know is that someone else can know it too. If you keep your password secure following all the best practices (longer length, complexity, never share it, do not use the same password for multiple sites, etc.), you might think you are safe. However, there is an attack technique called Brute Forcing where the bad actor just throws an infinite number of passwords at a system. Eventually, your super-secure password will be cracked. There are mitigation controls in place such as account lockouts for too many bad password attempts. Social engineering is also very common where a bad actor tricks a person into revealing their password. A password alone is no longer enough to keep you secure.

Something you have
Something that most people have these days is a mobile phone. You browse the web, play games, text your friends/family/coworkers and on occasion, even make a phone call. Since this is something you have, it is an additional factor. You can receive a text message, phone call or use an authentication app on a mobile phone as an additional factor during the login process. You can also use a traditional landline phone. That locks you into a specific location such as your home or office but is an option as well for this type of factor.

Something you are
This factor is you. Something that is a part of you. Common examples are fingerprints, facial recognition and iris scans. When you unlock your phone with a fingerprint, that is a use for this type of factor. This is also known as biometrics.

By combining two of these factors, you significantly decrease the chance that a bad actor can get into your account. The most common combination is a password and a mobile phone. In order to access your account, a bad actor would have to know your password AND have your mobile phone.

The first step in signing up is to register your additional authentication methods. To do this, visit the website https://aka.ms/mfasetup. Log on with your Winthrop username and password.

The first time you sign in, you will be asked to provide more information. Click the Next button.

You will be asked to provide a phone number as your authentication phone. Be sure to select your country or region and enter a phone number. You can use a mobile phone or a landline. Choose the method for the authentication: text message or voice call. If you provided a landline, you must choose Call me.

You will then either receive a voice phone call asking you to press the # key or a text message with a code. If you went with the text message option, enter the code from the text message into the appropriate field.

Once you see the Verification Successful message, you can move to the next screen where you can then set your additional security verification options and choose your default option. You can also set up an authenticator app.

• Authentication Phone - This is your primary authentication device, typically a mobile phone.

• Office Phone - This is your office phone number. This is pulled from the online directory. If you have a dedicated line just for you, you can use this. But if you share a line or your phone is an internal-only number, do not use this as an authentication phone number.

• Alternate Authentication Phone - You can enter a secondary phone number. You could use your home phone or a second mobile phone if you wanted to.

• Authenticator app or Token - This is where you begin to set up an authenticator app. There is a separate section below on this.

You need to have at least one authentication method set up. It is STRONGLY recommended you set up two or more options. This way if you do not have access to your primary, you have an alternate way to provide a second authentication factor.

IMPORTANT: Once you register your authentication methods, you need to send an e-mail to servicedesk@winthrop.edu asking that MFA be enabled on your account.

If you want to make changes to your phone settings, just go to the website https://aka.ms/mfasetup. Log on and you can make whatever changes you need.

If you change your preferred option for verification, you will have to verify the change by clicking the Verify preferred option button.

You will then be contacted through the new default method in order to verify. Once you approve it, your new default option will be saved.

Here is a list of the current systems that are using MFA.

• AppNav/AdminPages

• Appxtender

• DegreeWorks

• Office 365 websites. This includes the Office 365 portal, SharePoint, web-based Outlook, etc.

• Safe Colleges

• Secure file transfer system through files.com

• WebFocus

• Wingspan/SSB including Employee SSB and Student Registration SSB

• Workflow

• Zoom
  
  NOTE: This list may not be 100% accurate as new systems are enabled for MFA.

An Authenticator App is an app you can install on your smartphone that makes the login process much easier and faster than receiving a text message with a code. The recommended authenticator app is Microsoft Authenticator which is free to install.

1. Install the Microsoft Authenticator from your chosen device's store.

   Google Android: Download from here

   Apple iOS: Download from here

2. Once it is installed, open a web browser on your computer (NOT on your mobile phone) and log on to https://aka.ms/mfasetup.

3. Click the button Set up Authenticator app.

4. You will get to the Configure mobile app screen with the QR code. Leave that up on the screen.

5. Go back to your mobile device and open the Authenticator app.
   NOTE: If this is the first time you have opened the app, you will be asked to add a personal and then a work account. Press the Skip button at the bottom of the screen until you see Ready to add your first account.
   

6. Click the + symbol in the upper right to add a new account.
   

7. When asked what kind of account are you adding, choose Work or school account. 

   

8. If prompted to allow the Authenticator to access your camera, click OK. 
   

9. Next, aim the camera at the QR code on the screen.

10. Once the system is done processing, you may be asked to allow notifications from the Authenticator app. Click on Allow.

    

That's it! You have set up the Authenticator app. Now how do you use it?

1. Go to a site that uses MFA and log in with your username and password.

2. You will then see the Approve sign-in request page.

   

3. On your mobile device, you will receive a notification about a sign in verification request.

   

4. If you press and hold on the notification, the option to Approve or Deny is presented. Press Approve to complete the login process.

   

This is an easier, quicker option than entering a 6-digit code. Also, you don't even have to unlock your phone to approve the request! (You may have to go into the Settings on the Authenticator App and turn off "App Lock" in order to approve requests without unlocking your phone.)

You should always have at least 2 phones registered with the system. That way you can still get in to your account if you lose or forget your primary device.

However, if you do not have an alternate authentication phone set up, you can contact the IT Service desk for assistance. An MFA administrator will be able to assist in adding or changing an authentication phone number.

You can set up a landline as an authentication phone number. The way that works is you would receive a voice phone call asking you to press the pound (#) key to approve the login attempt.

If you do not use a mobile device, you should set up your primary authentication phone number as the location where you most often work. Then you should set up the alternate authentication phone with the number for a secondary location where you may work.

For example, if you work mostly from your office but sometimes from your home, you should set your office phone number as your primary authentication number and then your home number as the alternate authentication number.

You can change your primary authentication phone whenever you like.

You can use the Microsoft Authenticator as a code generator for when you are out of cell service. You do not have to be on Wi-Fi or have any cell service. This method will work even if your device is in Airplane mode.

Here is how you would use this method to log on.

1. Start logging on to a site as you normally would by entering your username and password.

2. On the Approve Sign In Request page, click the option Sign in another way.
   
   

3. On the Verify your identity page, choose the option Use a verification code from my mobile app.
   

4. On your device, open the Microsoft Authenticator app.

5. Press the entry that has your Winthrop e-mail address. NOTE: It might say Winthrop University instead of Azure AD like this image. But it should have your Winthrop e-mail address shown.
   

6. You will then see a six digit One-time password code.
   
   

7. Enter that code on the website in the Enter code field and press Verify.

   

8. Your login will then complete.

QUESTION: How long is a text code valid?
ANSWER: You will have 5 minutes to enter a code received via text. After that, the request will time out.

QUESTION: How long is an Authenticator app request valid?
ANSWER: You will have 1 minute to approve the request. After that, the request will time out.

QUESTION: What if I receive an approval request/text code but I didn't try to sign in anywhere?
ANSWER: This can mean a few different things. It could be that you were signed out of a system and when the web browser refreshed, it tried to log on automatically triggering the request.
Also, it could mean that someone knows your password and is trying to log on. The safest option is to deny the request and change your password.
IF YOU ARE UNSURE OF THE VERIFICATION REQUEST, DO NOT APPROVE IT!

QUESTION: What else can I do to keep my login secure?
ANSWER: First, NEVER give out your password to anyone for any reason. If someone claims to be from IT or the helpdesk and asks for your password, do NOT give it to them. There is no legitimate reason anyone from IT will ask for your password.
Next, if someone from IT, the helpdesk or anywhere else asks you to approve an MFA login request notification that you did not initiate, DO NOT DO IT! Just like asking for passwords, no LEGITIMATE IT/helpdesk personnel will ask you to approve an MFA request. This is usually an indication that a bad actor has your password and is trying to trick you into approving their request so they can log on to your account.

QUESTION: What if I have a faculty/staff account AND a student account?
ANSWER: If you have both a faculty/staff account and student account, you will need to register both accounts. You can set up a single mobile device with both accounts. Note that you can only use the Authenticator App with ONE Winthrop account. But you can set up a single phone number as an authentication phone for both a student and a faculty/staff account.