Multi-Factor Authentication FAQ
What Is Multi-Factor Authentication (MFA)?
When you sign into your college account - this is a process called “authentication” - you’re proving your identity to the application with your username and password. Unfortunately, if your password is stolen, leaked, or guessed then somebody else can impersonate you and access college services leading to compromise.
You may have come across Multi-Factor Authentication or heard it called Two-Step Verification as many online services such as banks, social media and online retailers have implemented it to keep your online accounts secure. However, they all work off the same principle; when you sign into your account from a new device or application you need to provide more than just your username and password. You need a second factor to prove who you are. Your password is one factor (Something you know) and your registered smartphone is another (Something you have).
How Does Multi-Factor Authentication Work?
When you go to sign into your College account you enter your username and password – If that’s all that’s needed then anybody who knows these details can access your account. However, with multi-factor authentication enabled when you sign in from a new device or app you are then asked for an additional factor.
- If you are using the Microsoft Authenticator app (Recommended) you will need to enter the unique, dynamically created 6-digit number when prompted. Alternatively, the app may display a notification that requires you to enter the number displayed on screen.
- If you are using text message option, the unique 6-digit code will be sent to via a text message to your registered phone number.
- If you are using the phone option, you will receive an automated phone call to approve the sign into your registered phone number
If a cyber criminal tries to sign in using your credentials, this Is where they will get stuck. If they enter your stolen credentials and get prompted for the additional factor of authentication and they don’t have your phone they can’t sign in as you. As the codes in the authenticator app only lasts 30 seconds even if they know the 6-digit number they are still locked out.
When will I get asked for Multi-Factor Authentication?
You may be worried that this is going to be inconvenient, however generally you will only be asked when signing in from a new app or device for the first time, or when you changed your password. There may be rare times when our automated security systems may notice anomalous activity from your account and as a result will require you to use multi-factor authentication.
Why do I need to use MFA?
Your credentials grant you access to College IT services and network. Attackers are constantly trying to steal or breach credentials to gain unauthorised access to College systems to steal data and commit cybercrimes. Multi-factor authentication makes credential-based attacks almost impossible and helps to secure our network and data from cyber criminals. Additionally multi-factor authentication can allow you to reset your password should you forget it. See more here: https://ecg.freshservice.com/support/solutions/articles/27000059975
How do I register for multi-factor authentication?
You will be prompted to register your security information during sign in. For guidance on registering and maintaining your security information please see here: https://ecg.freshservice.com/support/solutions/articles/27000059624
What systems will I need to use multi-factor authentication on?
Initially you will be required to use MFA for Microsoft 365 services such as Email, Teams and Sharepoint. New web services such as iTrent will also require MFA. We will continue to move more of our externally accessible systems to be secured by MFA to offer the best protection to our network.
Why do I need to install the Microsoft Authenticator app?
The Microsoft authenticator app offers the best convenience for MFA and is the most secure method. You can respond to a notification or enter the unique 6-digit code generated in the app which also works while offline. The authenticator app supports any account that supports MFA allowing you to use the same app to secure personal accounts such as social media, retail and other online services you use.
I have a new phone, what should I do?
Before you wipe your old phone, you should setup and register the authenticator app on your new phone first as you will need access to your old phone to register a new device. Please refer to “how do I register for multi-factor authentication” for guidance.
I’ve wiped or lost my phone, or got a new phone number and now can’t get into my account
Please contact ECG IT. After verifying your identity, we can reset your security information to allow you to register a new device.
I’m having trouble with multi-factor authentication
Please refer to this guidance from Microsoft Common problems with two-step verification for a work or school account. If this doesn’t solve your problem, please contact ECG IT.
Can you access my device?
The Microsoft Authenticator app is not mobile device management and does not grant ECG IT any access to your device or collect any device information other than showing that you have registered the authenticator app against your account.
What if I have no phone signal or limited data?
Although approving the notification is quick and convenient this relies on a internet connection and uses a very small amount of data. If you find yourself in the unfortunate position that you don't have an internet connection then please choose the option "Sign in another way" when prompted and you can use a verification code generated in the app. This codes are time based and generated on your handset and do not require any internet connection. This option is only available if you have set up the Authenticator app.
What if I forget my phone?
Although most of us couldn't be without our phones if you do for forget it do not panic. If you access a computer that you have used before and choose "remember this PC" you're unlikely to be asked for MFA unless your situation changes or a security issue is noticed on your account. If you're accessing College services from a College managed computer from our secure network you're also unlikely to get prompted for MFA.
What if I don't have a mobile phone that can be used for MFA?
If you don't have a mobile phone that could be used with MFA then please contact ECG IT so that we can discuss what options are available to you.
How is my personal information protected?
If you are using the Microsoft Authenticator app no personal data is collected or processed. If you choose to register a mobile number instead the mobile number is not shared or used for any other purpose than to send a 6-digit temporary one-time passcode. Your personal data is handled in accordance to the Data Protection Act 2018 and the College privacy policy.