Multi-Factor Authentication (MFA) is part of an overall security strategy to verify user identity by requiring a secondary credential upon login.  In short, it is a security check that allows you to confirm who you are by sending a message to something you have, such as your cell phone.  Many banks, social medial sites, shopping sites, and others use MFA to send a code to your phone to confirm you are the right person.  For more information, view a short video explaining MFA.

Below are three methods for MFA supported by CBU.

Option 1:  Setting up Microsoft Authenticator on your Mobile Device (for devices with Apple iOS or Google Android)

• ! Docs - MS Authenticator App - 2022.10.19.pdf

Option 2:  Setting up Twilio Authy Application (for desktops, laptops, or notebooks running Operating Systems such as Windows, macOS, or LINUX)

• ! Docs - Twilio Authy Application - 2022.08.25.pdf

Option 3:  SMS Text Messaging

This is a list of Frequently Asked Questions concerning MFA.

CONFIGURATION Questions:

1. May I configure more than one MFA method for verification?
   • Answer:   Yes.  Having more than one method configured for MFA is recommended.  Having more than one option provides additional safety should one of your methods become unavailable (i.e., a lost or stolen phone, a phone number change, etc.).
2. How do I configure multiple MFA methods?
   • Answer:   The links above are to PDF file instructions that describe how you can setup MFA using the various methods.   If you require a "reset" on your MFA profile (starting MFA configurations from the beginning), to configure  alternative MFA methods, please contact our ITS Help Desk.
     
3. May I configure an email address for MFA verification?
   • Answer:   No.   Microsoft does not leverage email addresses as a valid MFA method within Azure AD.   The email address field that you may be seeing in the MFA configuration screen is used for "Self-Service Password Reset."
     
4. How do I update the phone number on record used for MFA?
   • Answer:   If you require assistance to update an existing phone number on record for use with MFA, please contact our ITS Help Desk.
5. How do I change my default MFA method from one method to a different method (I have more than one MFA method configured)?
   • Answer:   Log into your Security Settings using the following link: 

                    https://mysignins.microsoft.com/security-info

1. • You will see "Default sign-in method" and the hyperlink for "Change."   If you click on "Change," you will be able to select one of your other MFA methods to be your default MFA method.   Note that you must already have more than one method defined (configured).

ACCESS Questions:

1. I have a new phone number and now I can't pass MFA verification - what do I do?
   
   • Answer:   Your phone number on record for MFA will need to be updated.   If you require assistance to update an existing phone number on record for use with MFA, please contact our ITS Help Desk.
     
   • Once the phone number has been updated, we recommend that you also take a moment to configure a second method of MFA.
2. I lost my phone and wont have a new one for a couple of weeks - I cannot access CBU computer resources; what do I do?
   • Answer:   Please leverage one of the other MFA methods that are available.   If a second MFA method has not yet been configured, please contact our ITS Help Desk and let them know.   We can "reset" your MFA configuration to require re-registration (starting MFA configurations from the beginning).
3. When I log in, I no longer receive the text messages for MFA - I cannot access CBU resources; what do I do?
   • Answer:   Microsoft has imposed a limit to the number of text messages that the Microsoft system will send during a given time frame.   You may have reached that limit if you are no longer receiving the text messages.   The recommended action is to use another MFA method, specifically Microsoft Authenticator, which does not have quantity limitations.   If you require assistance to "reset" your MFA profile (starting MFA configurations from the beginning) so you can configure Microsoft Authenticator, please contact our ITS Help Desk.
4. I don't have a smartphone to install the Microsoft Authenticator App and I do not have a mobile service plan to receive text messages - I cannot access CBU resources; what do I do?
   • Answer:   We have permitted several MFA methods to be used in the CBU environment.  The "Twilio Authy" application can be installed on your computer, laptop, or tablet.
5. I installed the Microsoft Authenticator app to access CBU resources; may I also use Microsoft Authenticator to access personal applications and websites?
   • Answer:   Yes.   Microsoft Authenticator can be configured for MFA to access your Amazon account, Facebook account, Google account, PayPal account, etc. to help you improve the security of your access into those websites and services.   The list of companies that are able to leverage Microsoft Authenticator is large.

PASSWORDLESS Questions:

1. Is Passwordless authentication secure?
   • Answer:   Yes.   Passwordless authentication is considered more secure because of how it is deployed; it is also the direction the security industry has been moving in.   It’s important to understand that “Passwordless authentication” does not mean “security-less”; it also does not mean it is foolproof (no security system is infallible).   Passwordless authentication leverages the following authentication factors:
     
     • Something you Have:     a mobile device running Microsoft Authenticator (or a FIDO2 security key)
     • Something you Know:    the randomly generated number to be used with Microsoft Authenticator (or the PIN used to configure your FIDO2 security key when you initially purchased it)
     • Something you Are:        facial recognition through Microsoft Authenticator (or fingerprint recognition capable FIDO2 security key – FIDO2 security keys without fingerprint scanners must be grounded (touched) during the login process)
2. May I configure Passwordless authentication?
   • Answer:   Yes.   CBU currently supports Passwordless authentication using a FIDO2 security key.  If you own a FIDO2 security key, and you follow the instruction document to set up your FIDO2 security key for MFA, it will be capable of Passwordless authentication.  Please contact our Help Desk for the instructions to setup a FIDO2 security key for MFA.
     
3. May I use Microsoft Authenticator for Passwordless authentication?
   • Answer:   Yes.   Please submit a request through our ITS Help Desk.  
4. I configured Microsoft Authenticator as an MFA method, but my Passwordless authentication is not working – what should I do?
   • Answer:   If you've already reached out to our ITS Help Desk and received confirmation that Passwordless authentication with the Microsoft Authenticator app has been enabled on your account, open the Microsoft Authenticator app on your mobile device and go to the profile you configured to access CBU resources.   Select “Enable phone sign-in” and follow the prompts.   Once finished, you should see “Passwordless sign-in enabled” on the Microsoft Authenticator app for your profile.  
     

[Page Edited 2022.10.07 kmh]