Multi-Factor Authentication

Multi-Factor Authentication for All

Multi-factor Authentication (MFA) is a way of verifying that people logging into our systems are indeed the people we think they are.  In these times when malicious and phishing email attacks are a daily occurrence, MFA provides a way to limit the impact of these attacks and help ensure that only authorized people are accessing our systems. Through our existing licensing, we have access to the Microsoft MFA solution. This helps us to protect not only our email, but all of our data and applications connected to Office 365.  We are currently rolling out MFA for all St. Thomas Office 365 accounts in stages.    

What is MFA?

Simply put, MFA is a method of authentication that requires more than one verification method.  This adds a critical second layer of security when users sign-in to their St. Thomas Office 365 account.  It does this by requiring more than one method of verifying that it is really you logging into the account.

How it works:  MFA works by requiring both of the following verification methods to access your account:

  • Something you know (your St. Thomas username & password)
  • Something you have (a trusted device - your mobile phone).

 

 

 

Getting Started

Pre-Requisites

In order to use multi-factor authentication with your St. Thomas account, you will need to ensure the following pre-requisites are met:

  • You have a phone that can receive SMS texts and/or download the Microsoft Authenticator app
  • Office 2016 is installed on your computer (if you use the full Outlook App on your computer)

Setup Multi-Factor Authentication

First, verify that you meet the pre-requisites above. Then, you will need your mobile phone, a computer, and Internet access to complete the setup.

 

1. Select Your Multi-Factor Verification Option

When you sign into your O365 account, an additional verification request is sent to you. The following are a list of methods that can be used for this second type of verification.

ITS recommends the Mobile App notification method - while it takes a bit longer to set up, it is the fast verification option allowing you to just tap approve on your phone.  The mobile app is also able to be used even when you don't have cellular coverage by using the code generated by the app every 30 seconds.

Verification methodDescription
Phone call A call is placed to a your mobile phone asking you to verify that it is you signing in. Press the # key on your phone to complete the verification process. 
Text message A text message is sent to a your mobile phone with a 6-digit code. Enter this code to complete the verification process.
Mobile app notification (requires download of Microsoft Auntenticator App on your phone) A verification request is sent to your mobile phone asking your complete the verification by selecting Verify/Approve from the mobile app. This occurs if app notification is the primary verification method. If you receive this notification when you are not signing in, you can report it as fraud.
Verification code with mobile app (requires download of Microsoft Auntenticator App on your phone) The mobile app on your device generates a verification code. This occurs if you selected a verification code as your primary verification method.

 

Detailed step-by-step MFA instructions for Mobile App with screen shots PDF:

MFA Instructions Mobile App

2. Download the Microsoft Authenticator App on your Mobile Phone

Save

Save

Save

Save

Save

Save

Save

iPhone

  1. Go to App Store
  2. Search for Microsoft Authenticator
  3. Tap on the Microsoft Authenticator app to download
  4. Click "Get" to begin installation
  5. Once the app is installed, click on Open.
  6. Tap Allow on the “Authenticator would like to send you notifications screen"
  7. On the Accounts screen, tap ADD ACCOUNT
  8. Under “What kind of account are you adding?”  Select Work or school account.
  9. A pop up box will appear asking, “Authenticator” Would Like to Access the Camera?”
  10. Tap OK (You will need to take a picture of the QR code found in the next step of setup instructions).
  11. Your camera will turn on and is ready to record the QR code. Set your phone down temporarily and go to your computer. 

Android

  1. Go to Apps, select Play Store
  2. Search for Microsoft Authenticator
  3. Click Install
  4. Once the app is installed, click on Open.
  5. On the Accounts screen, click on ADD ACCOUNT
  6. Under “What kind of account are you adding?”  Select Work or school account.
  7. A pop up box will appear asking, “Allow Authenticator to take pictures and record video?”
  8. Tap ALLOW(You will need to take a picture of the QR code found in the next step of setup instructions).
  9. Your camera will turn on and is ready to record the QR code. Set your phone down temporarily and go to your computer. 

 

3. Setup in Office 365 using the Mobile App

Complete the remainder of the setup process in Office 365 at a computer.  You will also need your mobile phone near you for the following steps. 

  1. Make sure you have already downloaded the Microsoft Authenticator App on your phone.

  2. Go to portal.office.com

  3. Sign into Office 365 on your computer with your St. Thomas account & password. Click on the blue box under your name that says “Set it up now

  4. In the drop down box next to Step 1:  How should we contact you? choose Mobile App

  5. Next to How do you want to use the mobile app?  Choose “Receive notifications for verification”.

  6. Click on Set up.

  7. You will see the Configure mobile app dialog box on your computer.  (You should already have the app installed on your smartphone).  On your mobile phone open the Authenticator app
  8. Scan the QR image displayed in your browser.
  9. Once you have successfully scanned the image, your account will be added automatically to the Authenticator app on your phone, and it will display a six-digit code.



  10. On your computer, Choose Contact Me in your browser on the Office 365 page.

  11. Next you will verify that Office 365 can reach your mobile phone.

  12. You should receive a push notification on your mobile phone. Tap Approve/ Verify (Android/iPhone)

  13. On your computer you will next see the follow screen.  O365 sets up an initial app password for you to use with other applications so these other apps can connect to your Office 365 account.  If you're using other apps like the default email on an android mobile phone, you'll need to create an app password so these other apps can connect to your Office 365 account.

  14. Go to your mobile phone and open up your default email account (Note:  iPhone users - if you are using iOS 11 on your phone you will not need to use the app password for the default mail app).   You will need to change your password to the app password provided by Office 365 (like the one shown on the screenshot above).

  15. Your mobile phone should now be able to access Office 365. Go to your computer, click Done in your browser.

You are now set up to use Multi-Factor Authentication on Office 365 and on your mobile phone default email application.

 

Frequently Asked Questions

MFA is security method for your account that helps verify that you are actually the person who is logging into your account.

How it works: 

  1. You log into your account with your St. Thomas user name & password.
  2. You will then get the notification via the method you chose during set up (a text, phone call, or mobile app verification) to verify it is you logging into your account. 

MFA adds an additional layer to the login process. 

MFA is more secure than just a password, because it relies on two forms of authentication: something you know, and something you have with you. The something you know is your password. The something you have with you is a phone or device that you commonly have with you. When your account is protected with two-step verification, that means that a malicious hacker can't sign in as you if they get your password somehow because they don't have access to your phone, too.

Here is an example:  Let's say a unscrupulous person in Antarctica steals your St. Thomas username and password.  When that person attempts to log into your account they will be prompted to verify who they are with MFA (either with a text, phone call, or through the mobile app).  Since you have your mobile phone in your possession, when the notification is sent they will not be able to provide this verification and are less likely to  be able to access your account.

You will be alerted that someone tried to access your account.  Since you know it isn't you, you can then make sure to change your password and thwart the cyber criminal. 

 

 

It depends. Specifically on where you are and how you set up MFA.

Location:

  • On UST campus networks you will not be prompted for the MFA verification for O365/One.Stthomas.edu (unless you make a change to your Security settings in O365).
  • Off campus you will be required to verify using MFA. 

Settings:

30 day check box

On the MFA log in screen there is a box you can check so that MFA only prompts you for verification approximately every 30 days.

This check box needs to be selected for each different browser & computer/device you use - if you want to use the 30 day grace period.

If you use Chrome, Firefox and Internet Explorer to log into O365/One.StThomas.edu, you will need to click on the 30 day check box for each different browser. 

Additionally, if you use multiple devices to access O365/One.StThomas.edu you will need to select the 30 day check box for each different device as well.

We recommend clicking on the 30 day check box only from computers/locations that you trust, like your apartment off campus, or your parents house.

 

 

 

An app password is just a replacement password you use for any applications you want to access your St. Thomas account.  Not everyone needs to use app passwords; it really depends on the applications you use.  Some common places app passwords are used are the default email on an android mobile phone (Note: iPhone users if you are on iOS 11 you will not need an app password for the default mail app on your phone).  Using the app password allows these apps to work with your St. Thomas account.  The app password created by MFA replaces your regular St. Thomas password – only for that application. Once you set up the application with the app password, you don’t have to use it again. 

Note: Web based email programs like Outlook do not need to use an app password.
  1. Sign into Office 365 using your St. Thomas password on your computer.
  2. You will receive a phone call, text, or push notification (depending on the verification method you set up) to your mobile phone to verify that it is you signing into O365.  
  3. On your computer: Once you have successfully logged in click on Office 365> Choose Settings  > Under “Your app settings” select > Office 365.
  4. Choose Security & Privacy > Additional security verification > Update your phone numbers used for Account security.
  5. At the top of the page, choose App passwords.
  6. Choose create to get an app password.
  7. If you want to copy the password, choose copy password to clipboard 
    Note:
      You will not be able to see this password again once you leave this page.  You can always create a new app password if you need one.
  8. For accessing email on your mobile phone - go to your mobile phone and open up your default email account.   When prompted to enter a password, enter the app password in the password box.  

No, App passwords do not replace your St. Thomas password for logging into your account.  

The app password is used only for apps like an android phone's default email (if you use that feature) or any non browser-based apps that you use to access your St. Thomas account.  

The app password is pretty much one and done.  Enter it in the application and you shouldn't have to remember it or use it again.  If there are any problems with the app password you can simply create a new one.

On the log in screen there is a link to "sign in a another way".

 

Depending on how you have set up MFA you can choose one the following:

  • Text
  • Phone call to your mobile phone
  • Phone call to an alternate phone (only available if you have added another number in MFA)
  • Approve a request (only for Microsoft Authenticator App users)
  • Verification code from mobile app (only for Microsoft Authenticator App users)

Note:  You can add an alternate phone number at any time by going to the security settings in O365 for MFA

If you didn't receive the notification on your phone you can choose to have the verification resent or choose a different method of verification.

To try signing in with a different method, follow these steps:

  1. On a computer, go to office365.stthomas.edu
  2. Sign into Office 365 with your username@stthomas.edu and your associated password.
  3. When the two-step verification page opens, choose Use a different verification option. 
  4. Select the verification option you want to use.
  5. Continue with two-step verification.

If you want to change how you receive your verification through Office 365, there are several options you can choose from:

  • Calling your authentication phone
  • Text a code to your authentication phone
  • Notify you through a push notification on the Microsoft Authenticator app
  • Enter a code from the App

 Instructions:

  1. On a computer, go to office365.stthomas.edu
  2. Sign in to Office 365 with your username@stthomas.edu and your associated password.
  3. Click on Office 365> Choose Settings
  4. Under “Your app settings,” select > Office 365.
  5. Choose Security & Privacy > Additional security verification > Choose Update my phone numbers used for account security.
  6. Under "what's your preferred option?" click on the drop down arrow and select the notificaiton option you would like.
  7. Save

 

 

It is important to set up a second/ backup phone number. Because your primary phone number and your mobile app are probably on the same phone, the secondary phone number is the only way you will be able to get back into your account if your phone is lost or stolen without having to contact the ITS Tech Desk.

Note:  If you don't have access to your primary phone number, and need help getting in to your account, contact the ITS Tech Desk.

To change your primary phone number:

  1. On a computer, go to office365.stthomas.edu
  2. Sign into Office 365 with your username@stthomas.edu and your associated password.
  3. Click on Office 365> Choose Settings
  4. Under “Your app settings,” select > Office 365.
  5. Choose Security & Privacy > Additional security verification > Choose Update my phone numbers used for account security.
  6. On the Additional security verification page, select the text box with your current phone number and edit it with your new phone number.
  7. Select Save
  8. If this is the number that you use for your preferred verification option, you have to verify the new number before you can save it.

To add a secondary phone number:

  1. On a computer, go to office365.stthomas.edu
  2. Sign into Office 365 with your username@stthomas.edu and your associated password.
  3. Click on Office 365> Choose Settings
  4. Under “Your app settings,” select > Office 365.
  5. Choose Security & Privacy > Additional security verification > Choose Update my phone numbers used for account security.
  6. On the Additional security verification page, check the box next to Alternate authentication phone.
  7. Enter your secondary phone number in the text box.
  8. Select Save and your changes are finished.

There are two ways to get back in to your account.

  • Sign in using your alternate authentication phone number, if you have set one up.
  • If you didn't set up an alternate authentication phone number you will need to contact the tech desk for assistance.

We recommend using the Microsoft Authenticator App if you travel or need to access your St. Thomas account while out of the country.  

The app does a push notification (a pop up on your phone you approve to verify that it is you logging in).  It also generates a 6 digit code every 30 seconds if the push notification isn’t available.   The code doesn't require you to be on the Internet or connected to data, so you don't need phone service to sign in which is a plus for travelers. 

Please contact the Tech Desk to discuss your options if you do not have a mobile phone.

techdesk@stthomas.edu
(651) 962-6230 
Toll Free: (800) 328-6819
On-campus: ext. 2-6230

St. Paul
Tech Desk Too - OEC LL08

Minneapolis
Tech Desk Minneapolis - SCH 300


Additional Resources

Need more help? Microsoft's website provides great resources and training information on using Multi-Factor Authentication for your account. Please visit Microsoft's website for their Guide on Multi-factor Authentication for an overview, getting started, how-to's, troubleshooting, and more FAQs.