Microsoft Authenticator - Frequently Asked Questions

 

What is MFA?

How does the Microsoft Authenticator system work?

How do I get setup to use the Microsoft Authenticator?

What if I don't have a smart phone?

What if I change phones?

What if I'm travelling internationally?

Who will need to use the Microsoft Authenticator system?

Why is New Paltz using the Microsoft Authenticator system?

What is MFA?

Multi-factor Authentication systems are those that require at least two of the following factors (only the first two being used by New Paltz).

• Something you know (such as user names and passwords)
• Something you have (such as an app on a smart phone, or a small key chain token) which is tied to your account
• Something you are (biometrics such as fingerprints - don't worry - we have no intention of using biometrics at New Paltz - though you may have this in place on your smart phone or tablet via fingerprint or face ID scans).

An account protected by MFA cannot be accessed by one of those factors alone.  Were someone to get your password, but does not have your smart phone, they would be unable to access accounts protected with MFA (unless you authorize a log in that you are not making).  Vice-versa, if someone had your phone but not your password, they would also be unable to access accounts protected with MFA.

MFA is increasingly used to protect data on systems such as financial/banking accounts, email, social media, or other systems which are at high risk for compromise for criminals.  New Paltz has implemented MFA to better protect the sensitive data, systems, and accounts that our faculty and staff are entrusted with.

How does Microsoft Authenticator work?

If you chose the authenticator app option

Once you have the Microsoft Authenticator app setup, you'll see a prompt like the following when you log in to a college service.  Prior to May 8th, 2023 it will just ask you to click "Approve" in the app on your phone, but as of May 8th, Microsoft is changing to the method below.

On the web browser where you are trying to log in to a site (for example Brightspace, or Outlook), you'll see a prompt like the following with two digits shown.

 

On your phone, you'll then receive a notification from the Microsoft Authenticator app which will look like the following.  It will show the application you are trying to log in to, the approximate location that the log in attempt is coming from, and an "Enter number here" prompt.  You would enter the two digit number shown in your browser, into the app, to verify your log in.

Why did Microsoft change from the 'approve' option alone?  Well there have been attacks that have taken advantage of people's willingness to hit 'approve' whenever they see that prompt, even when they were not actually logging in.  This would in effect let a cybercriminal who somehow obtained your password, into your accounts.
 

If you chose the phone option

• When logging in, you'll be sent a text message to the cell number that you added to Microsoft.  That text will have a six digit code.
• Enter that six digit code to continue your log in.

With either the app or text message option, you can reduce the amount of times you need to do this verification by clicking "Yes" when asked to "Stay signed in?".  This is not recommended for shared computers - and will not work in classrooms or computer labs on-campus as those are set to reset every time they restart.

How do I get setup?

Faculty, staff, and students, are automatically enrolled in the system within 24 hours of their account being setup here.  When you log in to your New Paltz account for the first time you should be prompted to set it up.

See our "Microsoft Authenticator - Getting Started" page for instructions on how to set it up.

What if I don't have a smart phone and cannot receive texts?

The Microsoft Authenticator system can work with a smart phone - or any phone that can receive text messages.

If you do not have a smart phone or any cell phone that can receive text messages - you can log in with a hardware security key.  Please contact our Service Desk (845-257-HELP or via servicedesk@newpaltz.edu) and let them know you do not have a smart phone or any cell phone that can receive texts.

 

What if I change phones?

If you changed phones - but still have the same phone number

If you change phones - but don't change your phone number - you can reactivate the Microsoft app yourself as follows:

• When you see the Microsoft log in prompt - click "I can't use my Microsoft Authenticator app right now"
• Then click "Text +X XXX-XXX-XXXX" (the last two numbers will be shown) to receive a text message from Microsoft.
• Enter the text message they send you.

Once you do that - you can reactivate the app on your new phone by going to: https://aka.ms/mfasetup.  At that site - you can choose "Set up Authenticator App" as well as set your preferred log in option.

 

If you changed your phone number

If you changed your phone number and no longer can receive texts at the old phone number, please contact our Service Desk (845-257-HELP or servicedesk@newpaltz.edu) for assistance.

 

What if I am travelling internationally?

If you think of this before you travel - you want to make sure that you are setup with the Microsoft Authenticator app - not just the text message option.

With the app option - it will continue to work if you travel and even if you change cell phone number.  If you go overseas without setting up the app, you won't be able to log in until you contact us for support.

If you aren't using the app (and are only getting text messages) setup the app on phone by going to: https://aka.ms/mfasetup.  At that site - you can choose "Mobile app" and follow the prompts to setup the app, as well as set your preferred log in option.

 

If travelling and have your phone, but you don't have Internet access on it

Note: If you are abroad and have the Microsoft Authenticator app setup, you can still log in even if your phone has no Internet access via the cell network, or WiFi, it's just a couple extra steps.

1. When logging in, the system will try to send a text message, or send a notification to the app by default.  If you have no Internet access on your phone, click the "I can't use the Microsoft Authenticator app" link.
2. Click "Use a verification code"
3. Open the Microsoft Authenticator app on your phone and click on the New Paltz account there.  You will see a six digit code under "One-time password code".  Enter that when prompted.

 

Who will need to use the Microsoft Authenticator system?

All faculty, staff, and students, as well as recent alumni who still have their Office 365 accounts for ~9 months after graduation, will need to use this system.

 

Why is New Paltz using this system?

You may ask "Why is New Paltz is using the Microsoft Authenticator, or any other Multi-Factor Authentication (MFA)?".  There are a number of reasons.

• Phishing: Phishing (fraudulent attempts to get people's username & password) has continued to be a significant problem both at New Paltz and at organizations worldwide.  Although the vast majority of these phishing messages are being blocked or marked as spam here at New Paltz (and many of our faculty and staff are fantastic about reporting these messages) some do get through.  At this point, the training and simulations are not a sufficient defense on their own.
• Password reuse: Though we want all people to use a different password for all systems - we know that doesn't always happen.  People sometimes use the same password on multiple services.  When an external service gets compromised - the passwords used at that external site may be at risk.  They may be used to try to access other accounts, including those at New Paltz.  The same is true of common passwords.
• Brute force attacks: Hackers are often trying to just 'guess' passwords.  They are doing this based on patterns of password.
• General security issues: The number of attacks by criminal gangs against businesses, organizations, schools, and even individuals has been increasing greatly.  It seems that a week doesn't go by without a major ransomware attack.  Many ransomware attacks start with compromised computer accounts - often of just regular users.  Once they compromise one account (faculty, staff, or student) they can use that as a foot in the door to try to trick other users, or compromise other systems.

We have a duty to protect the data of our students, faculty, staff, alumni and donors.  Even an account of someone who does not have direct access to that data - can provide a criminal a level of access to the college which could lead to a further breach.  Because of this - we need to protect accounts with more than just a user name and password.