Microsoft Authenticator - Frequently Asked Questions

 

Why is New Paltz going to use the Microsoft Authenticator system?  We already have Duo.

What is MFA?

How does the Microsoft Authenticator system work?

How do I get setup to use the Microsoft Authenticator?

What if I don't have a smart phone?

Who will need to use the Microsoft Authenticator system?

Why is New Paltz planning to use this system?

You may ask "Why is New Paltz is using the Microsoft Authenticator, Duo, or any other Multi-Factor Authentication (MFA)?".  There are a number of reasons.

  • Phishing: Phishing has continued to be a significant problem both at New Paltz and at organizations worldwide.  Although the vast majority of these phishing messages are being blocked or marked as spam here at New Paltz (and many of our faculty and staff are fantastic about reporting these messages) some do get through.  At this point, the training and simulations are not a sufficient defense on their own.
  • Password reuse: Though we want all people to use a different password for all systems - we know that doesn't always happen.  People sometimes use the same password on multiple services.  When an external service gets compromised - the passwords used at that external site may be at risk.  They may be used to try to access other accounts, including those at New Paltz.  The same is true of common passwords.
  • Brute force attacks: Hackers are often trying to just 'guess' passwords.  They are doing this based on patterns of password.
  • General security issues: The number of attacks by criminal gangs against businesses, organizations, schools, and even individuals has been increasing greatly.  It seems that a week doesn't go by without a major ransomware attack.  Many ransomware attacks start with compromised computer accounts - often of just regular users.  Once they compromise one account (faculty, staff, or student) they can use that as a foot in the door to try to trick other users, or compromise other systems.

We have a duty to protect the data of our students, faculty, staff, alumni and donors.  Even an account of someone who does not have direct access to that data - can provide a criminal a level of access to the college which could lead to a further breach.  Because of this - we need to protect accounts with more than just a user name and password.

As of Summer 2021 - we have been using the Duo system in some way for protecting students, faculty, and staff for the past few years now.  With the login changes that happened earlier in Summer 2021, we have an opportunity to move to the Microsoft system instead of Duo.  It works much the same as Duo - but the costs are significantly less.  It will also be easier to use and sign up for (as it supports some older smart phones than Duo - and can be used with text messages even if you don't have a smart phone or don't want to install another app).

What is MFA?

Multi-factor Authentication systems are those that require at least two of the following factors (only the first two being used by New Paltz).

  • Something you know (such as user names and passwords)
  • Something you have (such as an app on a smart phone, or a small key chain token) which is tied to your account
  • Something you are (biometrics such as fingerprints - don't worry - we have no intention of using biometrics at New Paltz - though you may have this in place on your smart phone or tablet via fingerprint or face ID scans).

An account protected by MFA cannot be accessed by one of those factors alone.  Were someone to get my password - but not have my smart phone, they would be unable to access accounts protected with MFA.  Vice-versa, if someone had my phone but not my password, they would also be unable to access accounts protected with MFA.

MFA is increasingly used to protect data on systems such as financial/banking accounts, email, social media, or other systems which are at high risk for compromise for criminals.  New Paltz has implemented, and is expanding the usage of, MFA to better protect the sensitive data, systems, and accounts that our faculty and staff are entrusted with.

How does Microsoft Authenticator work?

When you first log in to college services (such as email) after you were added to the Microsoft system - you'll see a screen like the one below:


Prompt from Microsoft to setup MFA
 

When you click "Next" you'll have the choice of two authentication types: Mobile app and Authentication phone.  If you have a smart phone - we recommend the "Mobile app" option.

Prompt from Microsoft to choose phone or app option
 

If you choose the mobile app option

  • You will then have two other options:
    • "Receive notifications for verification" (meaning you'll get a pop-up on your phone which you'll have to confirm)
    • "Use verification code" (this means that when you log in - you'll have to go into the app and get the 6 digit code that it displays).
  • Choose one of these buttons (we recommend the first) and click Setup.  You will be shown a link to get the free Microsoft Authenticator app (for iPhone or Android) with instructions on how to setup the app, and a QR code to scan with your phone's camera.  Follow the instructions on-screen.
    screenshot showing the 'configure mobile app' screen - with a qr code and links to download the app
  • You'll be asked for your cell phone as a backup (in case you lose your phone, or get a new phone).

 

If you choose the phone option

  • Change where it says "Select your country or region" to "United States" (or the country where your cell phone number is from if you have an international number), then click Next.
    Screenshot of the phone setup page
     
  • You will get a text message with a six digit code.  Enter that to verify your login.

With either the app or text message option, you can reduce the amount of times you need to do this verification by clicking "Yes" when asked to "Stay signed in?".  This is not recommended for shared computers - and will not work in classrooms or computer labs on-campus as those are set to reset every time they restart.

How do I get setup?

We are starting with a pilot group of 50 students on August 2nd, 2021.  These are students who are not already in Duo.  As of August 16th, we will add all registered students

What if I don't have a smart phone?

 

The Microsoft Authenticator system can work with a smart phone - or any phone that can receive text messages.

If you do not have a smart phone or any cell phone that can receive text messages - you can log in with a hardware security key.  We are still sorting out these options for the Microsoft system - so for now anyone who does not have a compatible smart phone, or a phone that can receive text messages, will have to be on Duo.

Who will need to use the Microsoft Authenticator system?

All faculty, staff, and students, will need to use the Microsoft Authentication system, though we are still working out the details on timing.  All new faculty, staff, and students, should be using the Microsoft system by the start of the Fall 2021 semester.  We will then focus on switching over people who are already using Duo.

 

Details

Article ID: 133154
Created
Thu 6/10/21 1:39 PM
Modified
Thu 7/29/21 12:25 PM