What is Multi-factor Authentication?
Multi-factor Authentication (MFA) is an approach to online security that requires you to provide more than one type of authentication for a login or other transaction.
Also known as 'Two-step Verification', MFA adds an extra layer of protection to your account and is used on a regular basis for many online transactions such as banking, shopping, or PayPal.
MFA requires you to authenticate using:
- Something you know: your username and password
- Something you have: a trusted device, such as your mobile phone, on which to receive and respond to verification requests
You must complete both authentication steps in order to access your University Microsoft 365 account when off campus or on eduroam.
Why do I need to use MFA?
Attackers are getting better at obtaining passwords (e.g. by phishing attacks). MFA adds a second layer of security to your account, making sure your account stays secure, even if someone else obtains your password. MFA is considered best practice by IT security and industry professionals.
When will I have to use MFA?
When using a device that is off campus - this includes on the eduroam network - you will be required to use MFA when logging into Microsoft 365 services (previously known as Office 365), such as Outlook (desktop client and web app), SharePoint Online and OneDrive for Business.
You will be required to use MFA when your sign-in properties are considered high risk or unusual. This includes logging in from a new location, a new device, or a new application. When this happens, you will be informed that something unusual was detected about your sign-in and prompted to verify your identity by completing MFA registration as shown below.
There are also circumstances where your user account might be considered high risk; for example, if there are suspicious activities detected or your account details have been leaked. If this happens, you will need to prove your identity by completing MFA with one of your previously registered methods. Additionally, since someone else may have had access to your account, you will be required to change your password.
Setting up Multi-factor Authentication
Multi-factor Authentication is fast becoming essential to secure cloud-based services. For this reason, you are required to set up MFA on your University Microsoft 365 account.
We recommend you set up two or more of these authentication methods:
- Use the Microsoft Authenticator app on a mobile device (recommended)
- Receive a code by text
- Receive a call by phone
Toolkit Resource
The support resource on Toolkit has all the available written guides, video walkthroughs and further guidance:
Set-up Guides
Consult the user guide that corresponds to the authentication method that you want to use, more written and video guides are available on the Toolkit support resource .
- Set up MFA (Multi-factor Authentication) using Microsoft Authenticator App
- Set up MFA (Multi-factor Authentication) using Phone
MFA Fatigue Attacks
Multi-factor authentication (MFA) fatigue attacks are also known as MFA bombing or MFA spamming. This is a social engineering strategy where attackers repeatedly push authentication requests to your phone or registered device to overwhelm and trick you into approving access to your account.
If you receive a notification asking to approve a login and you are not accessing your account:
- Do not approve the notification.
- Change your password at www.abdn.ac.uk/password-reset (further guidance can be found in our Password Reset guide ).
- You can check your recent login activity by using https://mysignins.microsoft.com/ .
If you are unable to reset your password due to the volume of notifications, have further concerns or are looking for advice, please contact the IT service desk - chat online at myit.abdn.ac.uk or email
servicedesk@abdn.ac.uk .
FAQs
- Do I need to keep the Microsoft Authenticator app after first set up?
- I changed my registered phone number - what should I do?
- I received an email to say my account is blocked or email/calendar no longer work on a smartphone - what can I do?
- My method of accessing email is no longer working - what can I do?
- I'm changing the mobile device I use for MFA - what should I do?
- How do I change my method of authentication (or add another method)?
- What is the Microsoft Authenticator app?
- Do I need to have a smartphone to use MFA?
- My phone number was already there when I set up MFA for the first time. Why?
- Do I need an Internet connection or phone signal?
- I have set this up but only been prompted once for MFA, how can I check I have done this properly?
- I have dyscalculia, so receiving a code isn't the best for me. Is there another option available?