Multi-factor authentication
The following remarks are background and introduction. For more detailed notes, including some advice on configuring your mail client, see the Frequently Asked Questions.
IT Services will gradually be requiring that all users log in to Microsoft services using MFA. IT Services have some setup instructions.
From time to time, when you log in to a university system, you will be asked, not only for your password, but also To authenticate with a second mechanism. this may be clicking a button on the Microsoft authenticator app, or for a six-digit code from a ‘token’, which will most typically be an authenticator app on a smartphone.
This will most immediately affect access to email, but it will be turned on for a variety of other MS-based university systems as time goes on. MFA isn't a Microsoft-specific technology, so it's possible that it will be enabled for other services, eventually.
Why is this happening? §
The point of MFA (sometimes also called ‘Two-factor authentication’, or 2FA) is that it means that someone stealing or guessing your password will no longer be able to use that alone to get access. Access requires the combination of ‘something you know’ (your GUID password) with ‘something you have’ (being able to quote the regularly-changing six-digit code proves you physically hold the ‘token’).
The ‘token’ here will typically be a smartphone with an ‘authenticator’ app. The University is recommending Microsoft's authenticator app, but there are a large number of ‘TOTP’ apps available for iOS and Android which work just as well, so this isn't something MS-specific. The interaction with the University's MS systems will probably be smoothest, however, and the help from the helpdesk most specific, if you're using the MS authenticator.
There are three ways that you will ‘prove you hold the token’:
- You will be asked to enter a six-digit code from an ‘authenticator app’ on your phone.
- If you are using the Microsoft authenticator app, you may receive a push notification when you try to log in.
- You can have the code sent to you via an SMS message, or have it generated on a separate key-ring sized device which you carry with you; see the FAQ..
Be careful! – Unexpected authentication requests §
Key thing:
- You will sometimes receive a MFA request when you are logging in, and only after you have entered your GUID password.
- You will never received an MFA request when you are not logging in.
If you receive such a request unexpectedly, do not press ‘OK’ on the Microsoft Authenticator app, do not enter a code into any text box, but instead contact the GU helpdesk fairly urgently.
(This might have an innocent explanation – for example an unattended computer trying to reauthenticate itself – but it might be someone with nefarious access to your password, trying to trick you into supplying the second factor.)
This advice applies to any MFA process, including, for example, for your bank.
Be careful! – Multiple accounts §
When you log in to a University service, especially one using the MFA process, it is quite likely that you will be asked ‘do you want to use your work account or your personal one?’ ‘But I don't have a personal Microsoft account!’, you say. That's what you think.
Whenever you interact with a Microsoft service, Microsoft make it very easy to create a personal Microsoft account with your work email address, easy enough that it is quite possible to do this by accident. This personal account is separate from your work account, even if they share an email address.
If you are presented with such a choice use your work account.