Microsoft 365 Multi-Factor Authentication (FAQ)

Summary

Commonly asked questions regarding Microsoft Multi-Factor Authentication

Body

What is Multi-Factor Authentication (MFA)?

MFA is a method of authentication that requires the use of more than one verification method and adds a second layer of security to user sign-ins and transactions.

What are my authentication options?

You will be able to choose a primary authentication method when you register, which you can change or update at any time. OIT recommends using the Microsoft Authenticator app push notifications as it works internationally and provides a better user experience. International users should use the Microsoft Authenticator Application via their phones. Current options are outlined below:

Mobile Notification (Microsoft Authenticator Application Required)	*Recommended Method A push notification is sent to the authenticator app on your smartphone, asking you to authenticate your login.
Verification Code (Microsoft Authenticator Application Required)	The Mobile Microsoft Authenticator app will generate a verification code that updates every 30 seconds. You will be asked to enter the most current verification code in the sign-in screen. (This option is recommended for international users)
Phone Calls	A call is placed to your mobile phone asking you to verify you are signing in. Press the # key to complete the authentication process. Important - If your university desk telephone has been converted to a Microsoft Teams phone that requires that you log in to said phone using your NetID, you should not use this phone number as an authentication option.
Text Messages	A text message with a 6-digit code is sent to the mobile device that you will input to complete the authentication process.

What are the pros and cons of each MFA authentication method?

*Note: You are strongly recommended to set up more than one authentication method

Authentication Method	Description	Pros	Cons
Microsoft Authenticator app - Notification	The Microsoft Authenticator App pushes a notification for approval to your smart phone when signing in.	Default choice for an authenticator app when setting up MFA	Requires a smart phone
Microsoft Authenticator app - Verification Code	The Microsoft Authenticator App links to a rolling verification code connected to your Microsoft account.	Does not require an Internet connection after initial setup	Requires a smart phone
Text message (SMS)	A mobile device that is capable of receiving text messages (SMS) can be used for multi-factor authentication.	Any mobile phone that can receive text messages can be used, it does not have to be a smart phone	Requires mobile phone connectivity
Automated call on a phone	A phone that is capable of receiving phone calls can be used for multi-factor authentication.	Any phone can be used, either mobile or landline	Requires mobile connectivity if using a mobile phone. Limits access to signing in only at your desk if using an office phone, therefore highly recommended only using an office phone as a back-up MFA method.

I don't have my mobile device with me, how do I authenticate?

It happens. You left your mobile device at home, and now you can't use your phone to verify who you are. If you previously added an alternative method to sign into your account, such as through your office phone you can utilize this alternative method now. If you never added an alternative verification method, please visit the Computing Help Desk, located in the Mathewson-IGT Knowledge Center. Please bring photo ID such as your driver's license or WolfCard with you.

If my device was lost or stolen, how do I use a multi-factor authenticator?

If you've lost or had your mobile device stolen, you can take either of the following actions:

Sign in using a different method, then update your additional sign in methods to delete your device.
Please visit the Computing Help Desk, located in the Mathewson-IGT Knowledge Center, to clear your previous multi-factor authenticator settings. Bring photo ID such as your driver's license or WolfCard with you.

I'm not receiving the verification code sent to my mobile device, what should I do?

Not receiving your verification code is a common problem. The problem is typically related to your mobile device and its settings. Here are some suggestions that you can try.

Suggestion	Guidance
Use the Microsoft Authenticator app or Verification codes	You are getting “You've hit our limit on verification calls” or “You’ve hit our limit on text verification codes” error messages during sign-in. Microsoft may limit repeated authentication attempts performed by the same user in a short time. This limitation does not apply to the Microsoft Authenticator or verification code. If you have hit these limits, you can use the Authenticator App, verification code, or try to sign in again in a few minutes. You get a "Sorry, we're having trouble verifying your account" error message during sign-in. Microsoft may limit, or block voice or SMS authentication attempts performed by the same user, phone number, or organization due to many failed voice or SMS authentication attempts. If you are experiencing this error, you can try another method, such as Authenticator App or verification code, or reach out to your admin for support.
Restart your mobile device	Sometimes your device needs a refresh. When you restart your device, all background processes and services are ended. The restart also shuts down the core components of your device. Any service or component is refreshed when you restart your device.
Verify that your security information is correct	Ensure your security verification method information is accurate, especially your phone numbers. If you put in the wrong phone number, all your alerts will go to that incorrect number. Fortunately, that user won't be able to do anything with the alerts, but it won't help you sign into your account.
Verify that your notifications are turned on	Make sure your mobile device has notifications turned on. Ensure the following notification modes are allowed: Phone calls Your authentication app Your text messaging app Ensure these modes create an alert that is visible on your device.
Make sure you have a device signal and Internet connection.	Make sure your phone calls and text messages get through to your mobile device. Have a friend call you and send you a text message to ensure you receive both. If you don't receive the call or text, first check to make sure your mobile device is turned on. If your device is turned on, but you're still not receiving the call or text, your network probably has a problem. You'll need to talk to your provider. If you often have signal-related issues.
Turn off Do not disturb	Ensure you haven't turned on your mobile device's Do not disturb feature. When this feature is turned on, notifications aren't allowed to alert you on your mobile device. Refer to your mobile device's manual for instructions about how to turn off this feature.
Unblock phone numbers	In the United States, voice calls from Microsoft come from the following numbers: +1 (866) 539 4191, +1 (855) 330 8653, and +1 (877) 668 6536.
Check your battery-related settings.	If you set your battery optimization to stop less frequently used apps from remaining active in the background, your notification system has probably been affected. Try turning off battery optimization for both your authentication and messaging apps. Then try to sign in to your account again.
Disable third-party security apps	Some phone security apps block text messages and phone calls from annoying unknown callers. A security app might prevent your phone from receiving the verification code. Try disabling any third-party security apps on your phone, and then request that another verification code be sent.

If you are still unable to receive a verification code after attempting the above solutions please visit the Computing Help Desk, located in the Mathewson-IGT Knowledge Center. Bring photo ID such as your driver's license or WolfCard with you.

How often do I need to re-authenticate?

Mobile applications and desktop software (Outlook, Teams, etc.) requires re-authentication every 10 days individual to each device. Logging into the Web Portal requires MFA every new session.

I have a new mobile device, and I want to add it, how do I go about it?

If you have a new mobile device, please refer to the Managing your multi-factor authentication set-up page for instructions on adding your new phone and removing the authentication to your old phone.

What should I do when travelling abroad?

You might find it more difficult to use a mobile device-related verification method, like text messaging, while you're in an international location. It's also possible that your mobile device can cause you to incur roaming charges. For this situation, we recommend prior to travelling that you set up the Microsoft Authenticator app as a sign in method and utilize the Verification Codes option which does not require a phone or Internet connection.

Cybersecurity Attacks: MFA Fatigue - What is it and why do you need to know about it?

With the implementation of MFA comes new tactics, techniques, and procedures (TTP) malicious actors will utilize to compromise accounts.

One of the most commonly seen TTP performed against MFA protected resources is the use of MFA fatigue or "prompt bombing" by malicious actors. MFA fatigue refers to the overload of prompts or notifications a victim would receive via MFA applications. This technique only works if the malicious actor(s) have already compromised the credentials of a targeted account from a previous compromise such via phishing, brute forcing, or password spraying.

Once a threat actor has a victim's credentials, they will begin requesting approval for sign-in via the victim's MFA application. The goal for the threat actor is to overwhelm the victim's phone with MFA push notifications, hoping the victim approves one of the requests to make the notifications stop. If a victim accepts a malicious MFA request, the threat actor now has access to all data protected by MFA. Furthermore, once a threat actor has gained access to an account, they can update the compromised accounts to send MFA verification messages to telephone numbers they have access to, bypassing the need to have the compromised user approve future MFA requests.

If you receive any MFA requests that were not initiated by you do not accept them. Additionally, if you believe you are the victim for a MFA Fatigue attack please contact the OIT Support Center to update your NetID password.

Need additional assistance?

Get Help

Details

Article ID: 146583

Created

Tue 9/13/22 7:48 PM

Modified

Wed 12/4/24 5:02 PM